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Preface 


The preface to a textbook frequently contains the author’s justification for 
offering the public “another book” on the given subject. For our chosen 
topic, the arithmetic of elliptic curves, there is little need for such an apologia. 
Considering the vast amount of research currently being done in this area, 
the paucity of introductory texts is somewhat surprising. Parts of the theory 
are contained in various books of Lang (especially [La 3] and [La 5]); and 
there are books of Koblitz ([Kob]) and Robert ([Rob], now out of print) 
which concentrate mostly on the analytic and modular theory. In addition, 
survey articles have been written by Cassels ([Ca 7], really a short book) and 
Tate ((Ta 5], which is beautifully written, but includes no proofs). Thus the 
author hopes that this volume will fill a real need, both for the serious student 
who wishes to learn the basic facts about the arithmetic of elliptic curves; and 
for the research mathematician who needs a reference source for those same 
basic facts. 

Our approach is more algebraic than that taken in, say, [La 3] or [La 5], 
where many of the basic theorems are derived using complex analytic 
methods and the Lefschetz principle. For this reason, we have had to rely 
somewhat more on techniques from algebraic geometry. However, the geom- 
etry of (smooth) curves, which is essentially all that we use, does not require 
a great deal of machinery. And the small price paid in learning a little bit of 
algebraic geometry is amply repaid in a unity of exposition which (to the 
author) seems to be lacking when one makes extensive use of either the 
Lefschetz principle or lengthy (but elementary) calculations with explicit 
polynomial equations. 

This last point is worth amplifying. It has been the author’s experience that 
“elementary” proofs requiring page after page of algebra tend to be quite 
uninstructive. A student may be able to verify such a proof, line by line, and 
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at the end will agree that the proof is complete. But little true understanding 
results from such a procedure. In this book, our policy is always to state 
when a result can be proven by such an elementary calculation, indicate 
briefly how that calculation might be done, and then give a more enlighten- 
ing proof which is based on general principles. 

The basic (global) theorems in the arithmetic of elliptic curves are the 
Mordell—Weil theorem, which is proven in chapter VIII and analyzed more 
closely in chapter X; and Siegel’s theorem, which is proven in chapter IX. The 
reader desiring to reach these results fairly rapidly might take the following 
path: 


I and II (briefly review), III (§1-8), IV (§1—6), V (§1), 
VII (§1—5), VIII (§1-6), IX (§1—7), X (§1-6). 


This material also makes a good one-semester course, possibly with some 
time left at the end for special topics. The present volume is built around the 
notes for such a course, taught by the author at M.I.T. during the spring term 
of 1983. [Of course, there are many other possibilities. For example, one 
might include all of chapters V and VI, skipping IX and (if pressed for time) 
X.] Other important topics in the arithmetic of elliptic curves, which do not 
appear in this volume due to time and space limitations, are briefly discussed 
in appendix C. 

It is certainly true that some of the deepest results in this subject, such as 
Mazur’s theorem bounding torsion over Q and Faltings’ proof of the isogeny 
conjecture, require many of the resources of modern “SGA-style” algebraic 
geometry. On the other hand, one needs no machinery at all to write down 
the equation of an elliptic curve and to do explicit computations with it; and 
so there are many important theorems whose proof requires nothing more 
than cleverness and hard work. Whether your inclination leans toward 
heavy machinery or imaginative calculations, you will find much that re- 
mains to be discovered in the arithmetic theory of elliptic curves. Happy 
hunting! 
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Introduction 


The study of Diophantine equations, that is the solution of polynomial 
equations in integers or rational numbers, has a history stretching back to 
ancient Greece and beyond. The term Diophantine geometry is of more recent 
origin, and refers to the study of Diophantine equations through a combin- 
ation of techniques from algebraic number theory and algebraic geometry. 
On the one hand, the problem of finding integer and rational solutions to 
polynomial equations calls into play the tools of algebraic number theory, 
which describes the rings and fields wherein those solutions lie. On the other 
hand, such a system of polynomial equations describes an algebraic variety, 
which is a geometric object. It is the interplay between these two points of 
view which is the subject of Diophantine geometry. 
The simplest sort of equation is linear: 


aX +bY=c a, b, ce Z, aorb £0. 


Such an equation always has rational solutions. It will have integer solutions 

if and only if the greatest common divisor of a and b divides c; and if this 

occurs, then one can find all solutions by using the Euclidean algorithm. 
Next in order of difficulty come quadratic equations: 


aX*4+bXY¥4+cY*+dX +eY+f=0 a iifez, a,b, orc #0. 


They describe conic sections, and by a suitable linear change of coordinates 
with rational coefficients, one can transform a given equation into one of the 


following forms: 
AX”? + BY?=C _ ellipse 


AX*—BY?=C_ hyperbola 
AX + BY? =0 parabola. 
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For quadratic equations, one has the following powerful theorem which aids 
in their solution. 


Hasse—Minkowski Theorem ([Se 7, [V Thm. 8]). Let f(X, Y)e QLX, Y] bea 
quadratic polynomial. Then the equation f(X, Y) = 0 has a solution (x, y)<¢ Q? 
if and only if it has a solution (x, y)€R? and a solution (x, y)¢Q? for every 
prime p. (Here Q, is the field of p-adic numbers.) 


In other words, a quadratic polynomial has a solution in Q if and only if it 
has a solution in every completion of Q. Now checking for solutions in Q, 
will, by Hensel’s lemma, be more or less the same as checking for solutions in 
the finite field Z/pZ; and this, in turn, is easily accomplished by using quadra- 
tic reciprocity. Let us summarize the steps which go into the Diophantine 
analysis of quadratic equations. 


(1) Analyze the equations over finite fields. [Quadratic reciprocity] 

(2) Use this information to study the equations over complete local fields Q,. 
[Hensel’s lemma] (We must also analyze them over R.) 

(3) Piece together all the local information to obtain results for the global 
field Q. [Hasse principle] 


Where does the geometry appear? Linear and quadratic equations in two 
variables define curves of genus 0. The above discussion says that we have a 
fairly good understanding of the arithmetic of curves of genus 0. The next 
simplest case, namely the arithmetic properties of curves of genus 1 (which 
are given by cubic equations in two variables), is our object of study in this 
book. The arithmetic of these so-called elliptic curves already presents com- 
plexities on which much current research is centered. Further, they provide a 
standard testing ground for conjectures and techniques which can then be 
fruitfully applied to the study of curves of higher genus and (abelian) varieties 
of higher dimension. 

Briefly, the organization of this book is as follows. After two introductory 
chapters giving basic material on algebraic geometry, we start by studying 
the geometry of elliptic curves over algebraically closed fields (chapter III). 
We then follow the program outlined above and investigate the properties of 
elliptic curves over finite fields (chapter V), local fields (chapters VI, VII), and 
global (number) fields (chapters VIII, IX, X). Our understanding of elliptic 
curves over finite and local fields will be fairly satisfactory. However, it turns 
out that the analogue of the Hasse-Minkowski theorem is false for poly- 
nomials of degree greater than 2; this means that the transition from local to 
global is far more tenuous than in the degree 2 case. We study this problem in 
some detail in chapter X. 

The theory of elliptic curves is rich, varied, and amazingly vast. The 
original aim of this book was to provide an essentially self-contained intro- 
duction to the basic arithmetic properties of elliptic curves. Even such a 
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limited goal proved to be too ambitious. The material described above is 
approximately half of what the author had hoped to include. The reader 
will find a brief discussion and list of references for the omitted topics in 
appendix C. 

Our other goal, that of being self-contained, has been more successful. We 
have, of course, felt free to state results that every reader should be aware of, 
even when the proofs are far beyond the scope of this book. However, we 
have endeavored not to use such results for making further deductions. There 
are three major exceptions to this general policy. First, we have not proven 
that every elliptic curve over C is uniformized by elliptic functions (VI.5.1). 
This result fits most naturally into a discussion of modular functions, which 
is one of the topics which had to be omitted. Second, we have not proven that 
over a complete local field, the “non-singular” points sit with finite index 
inside the set of all points (VII.6.2). This can actually be proven by quite 
explicit polynomial computations (cf. [Ta 6]), but they are rather lengthy, 
and again have not been included due to lack of space. Finally, in the study of 
integral points on elliptic curves, we have made use of Roth’s theorem 
(IX.1.4) without giving a proof. However, a brief discussion of the proof has 
been given in (IX §8), and the reader who then wishes to see the myriad 
details can proceed to one of the references listed there. 

The prerequisites. for reading this book are fairly modest. We assume that 
the reader has had a first course in algebraic number theory, and so is 
acquainted with number fields, rings of integers, prime ideals, ramification, 
absolute values, completions, etc. The contents of any basic text in algebraic 
number theory, such as [La 2, Part I] or [Bo—Sh], should more than suffice. 
Chapter VI, which deals with elliptic curves over C, assumes a familiarity with 
the basic principles of complex analysis. In chapter X we will need a little bit 
of group cohomology, but just H® and H!. The reader will find the cohomo- 
logical facts needed to read chapter X given in appendix B. Finally, since our 
approach is mainly algebraic, there is the question of background material in 
algebraic geometry. On the one hand, since much of the theory of elliptic 
curves can be obtained through the use of explicit equations and calculations, 
we do not want to require the reader to already know a great deal of algebraic 
geometry. On the other hand, this being a book on number theory and not 
algebraic geometry, it would not be reasonable to spend half of the book 
developing from first principles the algebro-geometric facts that we will use. 
As a compromise, the first two chapters give an introduction to the algebraic 
geometry of varieties and curves, stating all of the facts which we will need, 
giving complete references, and providing enough proofs so that the reader 
can gain a flavor for some of the basic techniques used in algebraic geometry. 

Numerous exercises have been included at the end of each chapter. The 
reader desiring to gain a real understanding of the subject is urged to attempt 
as many as possible. Some of these exercises are (special cases of) results 
which have appeared in the literature. A list of comments and citations for 
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the exercises will be found at the end of the book. Exercises with a single 
asterisk are somewhat more difficult, and two asterisks signal an unsolved 
problem. 


References 


Bibliographical references are enclosed in square brackets, e.g. [Ta 5, thm. 6]. 
Cross references to theorems, propositions, lemmas within the same chapter 
are given by number in parentheses, e.g. (4.3). Reference to an exercise is given 
by (exer. 3.6). References from within one chapter to another chapter or an 
appendix are preceded by the appropriate Roman numeral or letter, e.g. 
(IV.3.1), (B.2.1). 


Standard Notation 


Throughout this book, we use the symbols 
Z, Q, R, C, F,, and Z, 


to represent the integers, rational numbers, real numbers, complex numbers, 
field with q elements, and /-adic integers respectively. Further, if R is any 
ring, then R* denotes the group of invertible elements of R; and if A is an 
abelian group, then A[m] denotes the subgroup of A consisting of elements 
of order m. A more complete list of notation is included on p. 379. 


CHAPTER I 


Algebraic Varieties 


In this chapter we describe the basic objects which arise in the study of 
algebraic geometry. We set the following notation, which will be used 
throughout this book. 


K a perfect field (i.e. every algebraic extension of K is separable). 


K a fixed algebraic closure of K 
Gk the Galois group of K/K 


For this chapter, we also let m and n denote positive integers. 

The assumption that K is a perfect field is made solely to simplify our 
exposition. However, since our eventual goal is to do arithmetic, the field K 
will eventually be taken as an algebraic extension of Q, Q,, or F,. Thus this 
restriction on K need not concern us unduly. 

For a more extensive exposition of the basic concepts which appear in this 
chapter, we refer the reader to any introductory book on algebraic geometry, 
such as [Har], [Sha 2], [Ful]. 


§1. Affine Varieties 


We begin our study of algebraic geometry with Cartesian (or affine) n-space 
and its subsets defined by zeros of polynomials. 
Definition. Affine n-space (over K) is the set of n-tuples 
A" = A"(K) = {P = (x,,...,X,):x;€K}. 
Similarly, the set of K-rational points in A" is the set 


A"(K) = {P = (x,,..., X,)€A": x, K}. 
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Notice that the Galois group Gg)x acts on A"; for o € Ggjx and Pe A", 
P° = (xf, ..., x2). 
Then A"(K) may be characterized by 
A"(K) = {PeA": P? = P for all o€ Gx}. 


Let K[X] = KLX,..., X,] be a polynomial ring in n variables, and let 
I c K[X] be an ideal. To each such I we associate a subset of A’, 


V, = {PeA": f(P) = 0 for all fel}. 


Definition. An (affine) algebraic set is any set of the form V,. If V is an 
algebraic set, the ideal of V is given by 

1(V) = {fe K[X]: f(P) = 0 for all PeV}. 
An algebraic set V is defined over K if its ideal I(V) can be generated by 


polynomials in K[X]. We denote this by V/K. If V is defined over K, the set 
of K-rational points of V is the set 


V(K) = VA AK). 


Remark 1.1. Note that by the Hilbert basis theorem ([A—M, 7.6]), all ideals 
in K[X] and K[X] are finitely generated. 


Remark 1.2. Let V be an algebraic set, and consider the ideal 
I(V/K) = {fe KX]: f(P) = 0 for all PEV} = 1(V) Nn KX]. 
Then we see that V is defined over K if and only if 
1(V) = 1(V/K)K[X]. 

Now suppose V is defined over K, and let f,,..., f,€K[X] be generators for 
I(V/K). Then V(K) is precisely the set of solutions (x,,...,x,) to the poly- 
nomial equations 

fx(X) = +++ = fn(X) = 0 


with x,, ..., X,€K. Thus one of the fundamental problems in the subject of 
Diophantine geometry, namely the solution of polynomial equations in ra- 
tional numbers, may be said to be the problem of describing sets of the form 
V(K) when K is a number field. 

Notice that if f(X)¢ K[X] and Pe A", then for any o € Gg, 


S(P?) = (PY. 


Hence if V is defined over K, then the action of Gg,x on A” induces an action 
on V, and clearly 


V(K) = {PeV: P? = P for all o€ Ggix}. 
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Example 1.3.1. Let V be the algebraic set in A? given by the single equation 
X?-—Y?=1. 


Clearly V is defined over K for any field K. Let us assume that char(K) # 2. 
Then the set V(K) is in one-to-one correspondence with A'(K) — {0}, one 
possible map being 


A'(K) — {0} > V(K) 
t > ((t? + 1)/2t, (t? — 1/20). 


Example 1.3.2. The algebraic set 
V:xX"+Y"=1 
is defined over Q. Fermat’s last “theorem” states that for all n > 3, 


= ul, 0), (0, 1)} n odd 
ne ie 1,0),(0,+1)} = neven. 


Example 1.3.3. The algebraic set 
V:Y?=X3°4+17 
has many Q-rational points, for example 
(—2,3) (5234, 378661) (137/64, 2651/512). 


In fact, V(Q) is infinite. See (2.8) and (III.2.4) for further discussion of this 
example. 


Definition. An affine algebraic set V is called an (affine) variety if I(V) is a 
prime ideal in K[X]]. (Note that if V is defined over K, it is not enough to 
check that I(V/K) is prime. For example, consider the ideal (X? — 2X?) in 
Q[X,, X,].) Let V/K be a variety (i.e. V is a variety defined over K). Then the 
affine coordinate ring of V/K is defined by 


K[X] 


RLV I= TeiKy’ 


It is an integral domain; and its quotient field, denoted K(V), is called the 
function field of V/K. Similarly K[V] and K(V) are defined by replacing K 
with K. 

Note that since an element fe K[V] is well-defined up to a polynomial 
vanishing on V, it induces a well-defined function f:V > K. Now if f(X)e 
K[X], then Gg acts on f by acting on its coefficients. Hence if V is 
defined over K, so Ggjx takes I(V) into itself, then we obtain an action of 
Gx On K[V] and K(V). One can check (exer. 1.12) that K[V] and K(V) 
are respectively the subsets of K[V] and K(V) fixed by Gg,x. We denote 
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the action of o on f by f > f°. Then for all points Pe V, 
(f(P))” = f°(P’). 


Definition. Let V be a variety. The dimension of V, denoted by dim(V), is the 
transcendence degree of K(V) over K. 


Example 1.4. The dimension of A’ is n, since K(A") = K(X,, ..., X,). Similar- 
ly, if V < A” is given by a single non-constant polynomial equation 

I(%, sees X,) = 0, 
then dim(V) = n — 1. (The converse is also true, cf. [Har, I.1.3].) In partic- 
ular, the examples (1.3.1), (1.3.2), and (1.3.3) all have dimension 1. 

In studying any geometric object, one is naturally interested in knowing 
whether it looks reasonably “smooth”. The next definition formalizes this 
notion in terms of the usual Jacobian criterion for the existence of a tangent 
plane. 


Definition. Let V be a variety, Pe V, and f,,..., f,€K LX] a set of generators 
for I(V). Then V is non-singular (or smooth) at P if the m x n matrix 


(6f;/OX(P))1 <i<mi<j<n 
has rank n — dim(V). If V is non-singular at every point, then we say that V is 
non-singular (or smooth). 
Example 1.5. Let V be given by a single non-constant polynomial equation 
f(X,,..., X,) = 0. 
Then dim V = n — 1 (1.4), so Pe V is a singular point if and only if 
Of/OX,(P) =--: = Of/0X,,(P) = 0. 
Since P also satisfies f(P) = 0, this gives n + 1 equations for the n coordinates 
of any singular point. Thus for a “randomly chosen” f, one would expect V to 
be non-singular. We will not pursue this idea further, but see (exer. 1.1). 
Example 1.6. Consider the two varieties 
V,:Y?=X34+X and Vz: Y? = X34 x2. 
Using (1.5) we see that any singular points on V, and V, satisfy respectively: 
V,:3X7+1=2Y=0; 
Vy 3X? + 2X =2Y =0, 


Thus V, is non-singular, while V, has one singular point, namely (0, 0). The 
graphs of V, (IR) and V,(R) (Figure 1.1) illustrate the difference. 
There is another characterization of smoothness, in terms of the functions 
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Figure 1.1 


on the variety V, which is often quite useful. Let Pe V, and define an ideal Mp 
of K[V] by 


Mp = {feK[V]: f(P) = 0}. 
Notice that Mp is a maximal ideal, since there is an isomorphism 
K[V]/Mp— K given by f > f(P). 


The quotient M,/M? is a finite dimensional K-vector space. 


Proposition 1.7. Let V be a variety. A point P € V is non-singular if and only if 
dimg M,/M; = dim V. 


Proor. [Har, 1.5.1]. (See exer. 1.3 for a special case.) O 


Example 1.8. Consider the point P = (0, 0) on the varieties V, and V, of (1.6). 
In both cases, Mp is the ideal of K[V] generated by X, Y; and M? is the ideal 
generated by X’, XY, Y”. Now for V,, we have 


X = Y? — X? =0(mod M3), 


so M,/M; is generated by Y alone. On the other hand, for V, there is no non- 
trivial relationship between X and Y modulo M3, so Mp/M? requires both X 
and Y as generators. Since each V, has dimension 1, (1.7) implies that V, is 
smooth at P and JV, is not. 


Definition. The local ring of V at P, denoted K[V]p, is the localization of 
K[V] at Mp. In other words, 


K[V]p = {Fe K(V): F = f/g for some f, gé K[V] with g(P) # 0}. 


Notice that if F = figeK[V]p, then F(P) = f(P)/g(P) is well-defined. The 
functions in K[V]p are said to be regular (or defined) at P. 
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§2. Projective Varieties 


Historically, projective space arose through the process of adding “points at 
infinity” to affine space. We define projective space as the collection of lines in 
affine space of one higher dimension. 


Definition. Projective n-space (over K), denoted P" or P"(K), is the set of all 
(n + 1)-tuples 
(con men™ 
such that at least one x; is non-zero, modulo the equivalence relation given 
by 
(Xo, see Xn) is (Yo; see Vn) 


if there exists a AeK* with x,= Ay, for all i. An equivalence class 
{(Axo, ..., Ax,)} is denoted [xo,...,X,], and Xo, ..., x, are called homoge- 
neous coordinates for the corresponding point in P”. The set of K-rational 
points in P" is the set 


P"(K) = {[Xo,..., X,]€P": all x,¢ K}. 
Remark 2.1. Note that if P = [xo, ..., x, ] € P”(K), it does not follow that each 


x;€K. However, choosing some i with x; #0, it does follow that each 
x;/x,€K. 


Definition. Let P = [xo, ..., X,] €P"(K). The minimal field of definition for P 
(over K), denoted K(P), is the field 
K(P) = K(Xxo/x;, ..., X,/X;) for any i with x, 4 0. 
The Galois group Gg)x acts on P" by acting on homogeneous coordinates, 
[X05 --+> Xal” = [%G, .--, x2]. 


(This clearly respects the equivalence relation defining P”.) Then one checks 
(exer. 1.12) that 


P"(K) = {PeP": P’ = P for all c€ Gg x}, 
and 
K(P) = fixed field of {0 € Ggjx : P’ = P}. 


Definition. A polynomial fe K[X] = K[Xp, ..., X,] is homogeneous of de- 
gree dif 
flAXoy --- AX,) = I4f(Xoy ---5 X;) 


for all Ae K. An ideal I c K[X] is homogeneous if it is generated by homo- 
geneous polynomials. 
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Note that for a homogeneous polynomial f, it makes sense to ask whether 
f(P) = 0 for a point PEP". To each homogeneous ideal I we associate a 
subset of P”, 


V, = {PeP": f(P) = 0 for all homogeneous fe I}. 
Definition. A (projective) algebraic set is any set of the form V,. If V is a 


projective algebraic set, the (homogeneous) ideal of V, denoted I(V), is the 
ideal in K[X] generated by 


{f¢K[X]: f is homogeneous and f(P) = 0 for all Pe V}. 


Such a V is defined over K, denoted by V/K, if its ideal [(V) can be generated 
by homogeneous polynomials in K[X]. If V is defined over K, the set of K- 
rational points of V is the set 


V(K) = Va P"(K). 
As usual, V(K) may also be described by 
V(K) = {PeV: P’ = P for all c€ Ggjx}. 


Example 2.2. A line in P? is an algebraic set given by a linear equation 
aX +bY+cZ=0 


with a, b, ce K not all zero. If, say, c # 0, then such a line is defined over any 
field containing a/c and b/c. More generally, a hyperplane in P" is given by an 
equation 


AgXo + a,X, +°°°+a,X, =0 


with a; K not all zero. 


Example 2.3. Let V be the algebraic set in P? given by the single equation 
MP YP 
Then for any field K with char(K) # 2, the set V(K) is isomorphic (i.e. struc- 
turally identical, see (3.5)) to P(K), for example by the map 
P!(K) > V(K) 
[s, t] > [s? — t?, 2st, s? + t?]. 

Remark 2.4. A point of P"(Q) has the form [xo,..., x,] with x,;¢Q. Multi- 
plying by an appropriate 4€Q, one can clear denominators and common 


factors from the x;’s. In other words, every Pe P"(Q) may be written with 
homogeneous coordinates [Xo, ..., X,] satisfying 


Xo.-++»X,EZ and gcd(xo,...,x,) = 1. 


(Notice the x,’s are actually determined by P up to multiplication by —1.) 
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Thus if the ideal of an algebraic set V/Q is generated by homogeneous 
polynomials f,, ..., f,,€Q[X], then to describe V(Q) means to find the 
solutions to the homogeneous equations 

Fi(Xo, «+ X,) = °° = fin(Xos +++ X,) = 0 


in relatively prime integers Xo, ..., X,. 


Example 2.5. The algebraic set 

Vix? 4. Y? =377 
is defined over Q. However, V(Q) = @. To see this, suppose [x, y, z]—¢ V(Q) 
with x, y, zeZ and gcd(x, y, z) = 1. Then 

x? + y? = 0 (mod 3), 

so 

x = y = 0(mod 3). 
(Note —1 is not a square modulo 3.) Hence x? and y? are divisible by 37, so 
from the equation for V it follows that 3 also divides z, which contradicts the 


assumption that gcd(x, y, z) = 1. This example illustrates one of the funda- 
mental tools used in the study of Diophantine equations. 


In order to show that an algebraic set V/Q has no Q-rational points, it suffices to 
show that the corresponding homogeneous polynomial equations have no non-zero 
solutions modulo p for any one prime p (or even one prime power p’). 


A more succinct way to phrase this is to say that if V(Q) is non-empty, then 
V(Q,) is non-empty for every p-adic field Q,. Similarly, V(R) would also be 
non-empty. One of the reasons that the study of Diophantine equations is so 
difficult is because the converse to this statement, the so-called “Hasse prin- 
ciple”, does not in general hold. An example, due to Selmer [Sel 1], is the 
equation 


V:3X3 + 4Y¥3 + 523 =0. 
Onc can check that V(Q,) is non-empty for every prime p, yet V(Q) is empty. 
(See, e.g., [Ca 7, §4]. For other examples, see (X.6.5).) 


Definition. A projective algebraic set is called a (projective) variety if its 
homogeneous ideal I(V) is a prime ideal in KX]. 


It is clear that P” contains many copies of A”. For example, for each 
0 <i <n, there is an inclusion 
¢; : A" = Pp" 
(V1 beg Ve) > [y1, Y29+++9 Vi-1> 1, Vir s+ +> Yn). 
If we let H; denote the hyperplane in P" given by X; = 0, 
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H; = {P = [Xo, eeay x,]€P": x; = 0}; 
and let U, be the complement of H,, 
U; = {P = [X, ---, Xn] EP": x; # 0}; 


then there is a natural bijection 


$1: U,> A" 
Xo X41 Xi-1 Xi+1 Xn 
Dros td-2 (23 : geveg—]e 
Xi Xj Xi xX; x; 


(Note that for any point of P” with x; #0, the quantities x;/x; are well- 
defined.) Having fixed an i, we will normally identify A” with the set U; in P” 
via the map @,. 

Now let V be a projective algebraic set with homogeneous ideal [(V) < 
K[X]. Then V cn A’ (by which we mean ¢; '(V 7 U,)) is an affine algebraic set 
with ideal I(V > A") c K[Y] given by 


IV AA) = {f(Yyy 000s Yeas Ly Yo eos Yi f (Xo --- XN EL(V)}. 


Notice that the sets Up, ..., U, cover all of P”, so any projective variety V 

is covered by subsets V7 Up, .... VO U,, each of which is an affine variety 

(via the appropriate ¢;'). The process of replacing f(Xo,...,X,) by 

S(%,...5 %-1, 1, ¥;, ..., Y,) is called dehomogenization with respect to X;. 
This process can be reversed. For any f(Y)¢K[Y]., let 


Xo X; Xj-1 X ist x) 


tae Aas ae Caan 


u 


fae ee ae ri 


where d = deg(f) is the smallest integer for which f* is a polynomial. We say 
that f* is the homogenization of f with respect to X;. 


Definition. Let V be an affine algebraic set with ideal I(V), and consider V as 
a subset of P” via the map 
VcA"S pr 


The projective closure of V, denoted V, is the projective algebraic set whose 
homogeneous ideal I(V) is generated by 


{f*(X): fel(V)}. 


Proposition 2.6. (a) Let V be an affine variety. Then V is a projective variety, 
and 


V=VoA". 
(b) Let V be a projective variety. Then V ~ A” is an affine variety, and either 


VoAT=@ or V=VNA". 


14 I. Algebraic Varieties 


(c) If an affine (respectively projective) variety V is defined over K, then V 
(respectively V 7 A") is also defined over K. 


Proor. [Har, I.2.3] for (a) and (b); and (c) is clear from the definitions. O 


Remark 2.7. In view of (2.6), each affine variety can be identified with a 
unique projective variety. Notationally, it is easier to deal with affine coordi- 
nates, so we will often say “let V be a projective variety” and write down 
some non-homogeneous equations, with the understanding that V is the 
projective closure of the indicated affine variety W. The points of V-W are 
called the points at infinity on V. 


Example 2.8. Let V be the projective variety given by the equation 
V:Y? = X3 +17. 
Thus we really mean the variety in P* given by the homogeneous equation 


¥*Z =X? 4172', 


the identification being 
X=X/Z Y=Y/Z. 
This variety has one point at infinity, namely [0, 1, 0], obtained by setting 


Z = 0. Thus, for example, 
V(Q) = {(x, ye A?(Q): y? = x? + 17} U {[0, 1, OF}. 


In (1.3.3) we listed several points of V(Q). The reader may verify that the line 
connecting any two points of V(Q) will intersect V in a third point of V(Q) 
(provided the line is not tangent to V). (See exer. 1.5.) Using this secant- 
line procedure, one can actually produce infinitely many points in V(Q), 
although this is by no means obvious. The variety V is called an elliptic curve, 
and as such it provides the first example of the varieties which will be our 
principal object of study in this book. See (III.2.4) for further discussion of 
this example. 


Most of the important properties of a projective variety V may now be 
defined in terms of the affine subvariety V 7 A”. 


Definition. Let V/K be a projective variety, and choose A" < P" so that 
VA" # ©. The dimension of V is the dimension of V4 A". The function 
field of V, denoted K(V), is the function field of V7 A"; and similarly for 
K(V). (Note that for different choices of A’, the different K(V)’s are canon- 
ically isomorphic, so we will always identify them. See (2.9) for another 
description of K(V).) 


Definition. Let V be a projective variety, Pe V, and choose A" < P" with 
PeA\". Then V is non-singular (or smooth) at P if V 7 A" is non-singular at P. 
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The local ring of V at P, denoted K[V]p, is the local ring of Vn A* at P.A 
function F € K(V) is regular (or defined) at P if it is in K[V]p; in this case, it 
makes sense to evaluate F at P. 


Remark 2.9. The function field of P" may also be described as the subfield of 
K(X), ..., X,) consisting of rational functions F(X) = f(X)/g(X) for which f 
and g are homogeneous polynomials of the same degree. Such an expression 
gives a well-defined function on P” at all points P where g(P) # 0. Similarly, 
the function field of a projective variety V is the field of rational functions 
F(X) = f(X)/g(X) such that: 


(i) f and g are homogeneous of the same degree: 
(ii) g€1(V); 
(iii) two functions f/g and f'/g’ are identified if fg’ — f’g eI(V). 


§3. Maps between Varieties 


In this section we look at algebraic maps between projective varieties, which 
are those maps defined by rational functions. 


Definition. Let V, and V, < P” be projective varieties. A rational map from V, 
to V, is a map of the form 


o:V,> V2 
g= Eton tes dale 


where fo, ..., f,¢K(V;) have the property that for every point Pe V, at which 
tos -+-> Jy are all defined, 


$(P) = [folP), ---» iP) € Vo. 


If V, and V, are defined over K, then Gg), acts on ¢ in the obvious way: 
b°(P) = [fo (P), ---> fa (P)I. 
Notice that we have the formula 
o(P)’ = ¢°(P’) for all c€ Gg, and PeV,. 


Now if there is some Ae K* so that Afo, ..., Af,eK(V,), then ¢ is said to be 
defined over K. (Notice that [fo, ..., f,] and [Afo, ..., Af.) give the same map 
on points.) As usual, it is true that ¢ is defined over K if and only if ¢ = ¢? for 
all o € Gxjx (cf. exer. 1.12c). 


Remark 3.1. Note that a rational map ¢: V, — V, is not necessarily a function 
on all of V,. However, it is sometimes possible to evaluate ¢(P) at points P of 
V, where some f; is not regular by replacing each f; with gf; for an appro- 
priate ge K(V,). 
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Definition. A rational map 
$ = [for --s fil: Vi > Ve 
is regular (or defined) at PV, if there is a function g ¢ K(V,) such that 
(i) each gf; is regular at P; and 
(ii) for some i, (gf;)(P) # 9. 


If such a g exists, we set 


PP) = [(Gfo)(P), «++» (Gfn) (P)I- 


(N.B. It may be necessary to take different g’s for different points.) A rational 
map which is regular at every point is called a morphism. 


Remark 3.2. Let V, c P”™ and V, < P" be projective varieties. Recall (2.9) that 

the functions in K(V,) may be described as quotients of homogeneous poly- 

nomials in K[Xo,..., X,,] having the same degree. Thus by multiplying a 

rational map ¢ = [fo, ...; f,] by a homogeneous polynomial which clears the 

“denominators” of the fs, we obtained the following alternative definition: 
A rational map ¢: V, > V, is a map of the form 


@ = [$o(X), 225. $n(X)1, 
where 


(i) $(X)e K[X] = K[Xp, ..., Xm] are homogeneous polynomials, not all in 
I(V,), having the same degree; and 
(ii) for every fe I(V,), 


SGX), «+s bn(X)) EL(V)). 


Clearly, ¢(P) is well-defined provided some ¢,(P) 4 0. However, even if all 
¢;(P) = 0, it may be possible to “alter” ¢ so as to make sense of ¢(P). We 
make this precise as follows: 

A rational map ¢ = [@o, ..., ,] : V; > V; as above is regular (or defined) at 
PeV, if there exist homogeneous polynomials Wo, ..., W,€KLX] such that 


(i) Wo, .-., W, have the same degree, 
(ii) 6:0; = W; (mod I(V,)) for 0 <i, j <n, and 
(iii) w,(P) 4 0 for some i. 


If this occurs, we set 


P(P) = [WolP), ---» Un(P)]. 


As above, a rational map which is everywhere regular is called a morphism. 


Remark 3.3. Let ¢ = [¢o,.--, $,]: P”  P" be a rational map as in (3.2), where 
¢,;¢ K[X] are homogeneous polynomials of the same degree. Since K[X] 
is a UFD, we may assume that the ¢,’s have no common factor. Then ¢ is 
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regular at a point Pe P” if and only if some ¢,(P) # 0. (Note that I(P”) = (0), 
so there is no way to alter the ¢,’s.) Hence ¢ is a morphism if and only if the 
¢;s have no common zero in P”. 


Definition. Let V, and V, be varieties. We say that V, and V, are isomorphic, 
and write V, ~ V,, if there are morphisms ¢: V, > V, and w: V, > V, such 
that Yo@ and dow are the identity maps on V, and V, respectively. V,/K 
and V,/K are isomorphic over K if such ¢ and w can be defined over K. [N.B. 
@ and w must be morphisms, not merely rational maps. ] 


Remark 3.4. If ¢ : V, > V, is an isomorphism defined over K, then ¢ identifies 
V,(K) with V,(K). Hence for Diophantine problems, it suffices to study any 
one variety in a given K-isomorphism class of varieties. 
Example 3.5. Assume char(K) # 2, and let V be the variety from (2.3), 

VEX? pe = Ze 
Consider the rational map 

¢@:V>P} 
@=[X4+Z, Y]. 


Clearly ¢ is regular at every point of V except possibly [1, 0, — 1] (i.e. where 
X+Z=Y =0). But using 


(X + Z)(X — Z) = —Y? (mod I(V)), 
we have 
@=[X+Z,Y]=[X? -—Z?, y(X —Z)] 
=[-Y?%, YX —- Z)]=[-Y X —Z]. 
Thus 
g([1, 0, —1]) = [0, 2] = [0, 1], 


so ¢ is regular at every point of V. (Le. ¢ is a morphism.) One easily checks 
that the map 


y:Pioav 
w = [S? — T?, 2ST, S? + T?] 
is a morphism and provides an inverse for ¢, so V and P! are isomorphic. 
Example 3.6. The rational map 
¢:P? = P? 
o = [X*, XY, Z7] 
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is regular everywhere except at the point [0, 1, 0], where it is not regular (cf. 
3.3). 


Example 3.7. Let V be the variety 
ViV7Za XxX? 4 X22, 
and consider the rational maps 
y:P!aV @:V->P 
w = [(S? — T?)T, (S*— T)S,T*] = LY, X]. 
Here yw is a morphism, while ¢ is not regular at [0, 0, 1]. Not coincidently (see 
11.2.1), [0, 0, 1] is a singular point of V. Notice that the compositions do wy 


and Wo¢ are the identity map whenever they are defined, but nonetheless ¢ 
and w are not isomorphisms. 


Example 3.8. Consider the varieties 

Vier EY a2 V,:X? 4+ Y? = 3Z?. 
They are not isomorphic over Q, since V,(Q) = @ (2.5), while V,(Q) contains 
lots of points. (More precisely, V,(Q) ~ P+(Q) from (3.5).) However, V, and 
V, are isomorphic over Q(/3), an isomorphism being given by 


$:V,7V, 
= 1X, ¥,/3Z]. 


EXERCISES 


1.1. Let A, Be K. Characterize the values of A and B for which each of the following 
varieties is singular. In particular, as (A, B) ranges over A”, the “singular values” 
lie on a one-dimensional subset of A?, so “most” values of (A, B) give a non- 
singular variety. 

(a) V:Y?Z + AXYZ + BYZ? = X3. 
(bl) V: Y?Z = X34 AXZ? + BZ? (char K # 2). 

1.2. Find the singular point(s) on each of the following varieties, and sketch V(R). 
(a) V: Y? = X3 in A?, 

(b) V: 4X? Y? = (X?2 + Y?)3 in A?. 
(c) V: Y? = X*+4 Y*in A?. 
(d) V: X24 Y? =(Z — 1)? in A*. 

1.3. Let V < A” be a variety given by a single equation (cf. 1.4). Prove that a point 
Pe V is non-singular if and only if 

dimg Mp/M? = dim V. 
[Hint: Let f = 0 be the equation of V, and define the tangent plane to V at P by 


T = {(Y1, «+s EA": Y (G/0X,(P))y; = O}. 
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1.4. 


1.5. 


1.6. 


1.7. 


1.8. 


1.9. 


Show that the map 
Mp/Mp x T>K, — (9, y) > 9) (69/0X(P))y; 
is a well-defined perfect pairing of K-vector spaces. Now use (1.5).] 
Let V/Q be the variety 
V:5X? + OXY 4+ 2Y? =2YZ + Z?. 
Prove that V(Q) = @. 
Let V/Q be the projective variety 
V:Y¥? = X34 17, 
and let P, = (x,, y,) and P, = (x2, y2) be distinct points of V. Let L be the line 
through P, and P,. 
(a) Show that Vn L = {P,, P, P;}, and express P, = (x3, y3) in terms of P, and 
P,. (If L is tangent to V, then P; may equal P, or P.) 


(b) Calculate P, for P, = (—1, 4) and P, = (2, 5). 
(c) Show that if P,, P, e V(Q), then P; € V(Q). 


Let V be the variety 
V:Y?Z= X34 2). 

Show that the map 

o:V—>P?, @ = [X?, XY, Z7] 
is a morphism. (Notice ¢ does not give a morphism P? - P?.) 
Let V be the variety 

V:Y?Z = X3, 

and let ¢ be the map 

@:P' AV, ¢ = [(S°T, S3, T°]. 
(a) Show that ¢ is a morphism. 
(b) Find a rational map w: V > P! so that dow and wo¢ are the identity map 


wherever they are defined. 
(c) Is ¢ an isomorphism? 


Let K = F,, and let V < P" be a variety which is defined over K. 
(a) Show that the q'*-power map 
@ = (X},..., X 


is a morphism ¢: V > V. It is called the Frobenius morphism. 
(b) Show that ¢ is one-to-one and onto. 
(c) Show that ¢ is not an isomorphism. 
(d) Show that 


{PeV: $(P) = P} = V(K). 


If m > n, prove that there are no non-constant morphisms P™ > P". [Hint: Use 
the dimension theorem [Har, I.7.2].] 
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1.10. For each prime p > 3, let V, be the variety in P? given by the equation 
V,:X? + Y? = pZ?. 
(a) Prove that V, is isomorphic to P' over Q if and only if p = 1 (mod 4). 
(b) Prove that for p = 3 (mod 4), no two of the V,’s are isomorphic over Q. 
1.11. (a) Let fe K[X, ..., X,] be a homogeneous polynomial, and let 
V = {PeP": f(P) = 0} 
be the hypersurface defined by f. Prove that if a point Pe V is singular, then 
Of /OXo(P) = ++ = Of/0X,(P) = 0. 


(Thus in projective space, one can check for smoothness using homogeneous 
coordinates.) 


(b) Let W c P" be a smooth algebraic set of dimension n — 1. Prove that W is 
a variety. [Hint: First use Krull’s Hauptidealsatz ([A—M] p. 122) to show 
that W is the zero set of a single homogeneous polynomial. ] 


1.12. (a) Let V/K be an affine variety. Prove that 
K[V] = {feK[V]:f? = f for all ce Gz,x}. 


[Hint: One inclusion is clear. For the other, choose some Fe K[X] with 
F = f (mod I(V)). Show that the map Gg)x > I(V) defined by o > F’ — F is 
a 1-cocycle (cf. B §2). Now use (B.2.5a) to conclude that there exists a 
Gel(V) such that F + Ge K[X].] 

(b) Prove that 


P"(K) = {Pe P"(K): P* = P for all ce Gz x}. 
[Hint: Write P = [xo, ..., X,]. If P = P’, then there is a 4,¢K* such that 
xf = A,x; for 0 <i <n. Show that the map o > A, gives a 1-cocycle from 


Gx to K*. Now use Hilbert’s theorem 90 (R.2.5b) to find an ae K* 
so that [ax ,..., ax,]€P"(K).] 


(c) Let ¢: V, > V, be a rational map of projective varieties. Prove that @ is 
defined over K if and only if ¢° = ¢ for every o€ Gx)x. [Hint: Use (a) and 
(b).] 


CHAPTER II 


Algebraic Curves 


In this chapter we present the basic facts about algebraic curves (i.e. projec- 
tive varieties of dimension 1) which will be needed for our study of elliptic 
curves. (Actually, since elliptic curves are curves of genus 1, one of our tasks 
will be to define the genus of a curve.) As in Chapter I, we give references for 
those proofs which are not included. There are many books where the reader 
can find more material on the subject of algebraic curves, for example [Har, 
Ch. IV], [Sha 2], [G—H, Ch. 2], [Wa]. 

We recall the following notation from Chapter I, which will be used in this 
chapter. (C is a curve and PeC.) 


C/K _ C is defined over K 

K(C), K(C) the function field of C 
K[C]p the local ring of C at P 

Mp the maximal ideal of K[C]p 
§1. Curves 


By a curve we will always mean a projective variety of dimension 1. We will 
generally deal with curves which are smooth. Examples of smooth curves are 
provided by P’, (1.2.3), and (1.2.8). We start by describing the local rings of a 
smooth curve. 


Proposition 1.1. Let C be a curve and PEC a smooth point. Then K[C]p is a 
discrete valuation ring. 
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Proor. From (1.1.7), Mp/M? has dimension 1 over K = K[C]p/Mp. Now use 
[A—M, Prop. 9.2] (or exer. 2.1). Oo 


Definition. Let C be a curve and PeC a smooth point. The (normalized) 
valuation on K[C]p is given by 


ordp: K[C] > {0, 1, 2,...} u {co} 
ord,(f) = max{deZ: fe Ms}. 
Using ord p( f/g) = ordp(f) — ord p(g), we extend ord» to K(C), 
ordp: K(C) > Zu {o}. 


A uniformizer for C at P is a function te K(C) with ordp(t) = 1 (ie. a gen- 
erator for Mp). 


Definition. Let C, P be as above and f ¢ K(C). The order of f at P is ordp(f). 
If ordp(f) > 0, then f has a zero at P; if ordp(f) < 0, then f has a pole at P. If 
ordp(f) > 0, then f is regular (or defined) at P, and we can calculate f(P). 
Otherwise f has a pole at P, and we write f(P) = 00. 


Proposition 1.2. Let C be a smooth curve and f ¢ K(C). Then there are only 
finitely many points of C at which f has a pole or a zero. Further, if f has no 
poles, then f eK. 


Proor. [Har, 1.6.5], [Har, II.6.1], or [Sha 2, III §1] for the finiteness of the 
number of poles. To deal with the zeros, look instead at 1/f. The last state- 
ment is [Har, I.3.4a] or [Sha 2, I §5, cor. 1]. oO 


Example 1.3. Consider the two curves 
C,:Y?=X?+X and C,:Y?=X34+X?. 


(Remember our convention (1.2.7) concerning affine equations for projective 
varieties. Each of C, and C, has a single point at infinity.) Let P = (0,0). Then 
C, is smooth at P and C, is not (1.1.6). The maximal ideal Mp of K[C,]p has 
the property that Mp/M? is generated by Y (1.1.8), so for example 


ord,p(Y) = 1 ord,(X)=2 ord,(2Y? — X) =2. 
(For the last, note that 2Y? — X = 2X? + X.) On the other hand, K [C,]p is 


not a discrete valuation ring. 


The next proposition is useful when dealing with curves over fields of 
characteristic p > 0. (See also exer. 2.15.) 


Proposition 1.4. Let C/K be a curve, and let te K(C) be a uniformizer at some 
non-singular point Pe C. Then K(C) is a finite separable extension of K(t). 
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Proor. K(C) is clearly a finite (algebraic) extension of K(t), since it is finitely 
generated over K, has transcendence degree 1 over K, and t¢ K. Now let 
xe K(C). We will show that x is separable over K(t). 

In any case, x is algebraic over K(t), so it satisfies some polynomial relation 


a,tixi=0, where ®(T, X) = \a,,TiXie KLX, T]. 
Ly iy 


We may further assume that ® is chosen so as to have minimal degree in X. 
(Le. ®(t, X) is a minimal polynomial for x over K(t).) Let p = char(K). If ® 
contains a non-zero term a,,T'X/ with j #0 (mod p), then 0®(X, 1)/0X is 
not identically 0, so x is separable over K(t). Suppose now that ®(T, X) = 
‘Y(T, X”). We proceed to derive a contradiction. 

The main point to note is that if F(T, X)eK[T, X] is any polynomial, 
then F(T”, X”) is a p'*-power. This is true because we have assumed that K is 
perfect, which implies that every element of K is a p'*-power. Thus if F(T, X) 
= a,T'X/, then writing a, = BP gives F(T’, X”) = (ZB,T'X4)?. We now 
regroup the terms in ®(T, X) = P(T, X”) according to powers of T (modulo 
p): 

-1 


=1 
O(T, X) = ¥(T, X") ='Y (5 bin rirxir) T= "5 (7, XPTt 
i,j k=0 


k=0 


Now by assumption, ®(t, x) = 0. On the other hand, since t is a unifor- 
mizer at P, we have 


ord p(¢,(t, x)?t") = p ordp(¢,(t, x)) + k ordp(t) = k(mod p). 


Thus each of the terms in the sum Z¢,(t, x)?t* has a distinct order at P, so 
every term must vanish: 


dolt, x) 7 r(t, x) SES lls x) =0. 


But one of the ¢,(T, X)’s must involve X; and for that k, the relation ¢,(t, x) 
= 0 contradicts the fact that we chose ®(t, X) to be a minimal polynomial for 
x over K(t). (Note that degy(@,(T, X)) < degy(®(T, X))/p.) This contradiction 
completes the proof that x is separable over K(t). Oo 


§2. Maps between Curves 


We start with the fundamental result that for smooth curves, a rational map 
is always defined at every point. 


Proposition 2.1. Let C be a curve, V < P® a variety, PEC a smooth point, and 
¢@:C—V arational map. Then ¢ is regular at P. In particular, if C is smooth, 
then @ is a morphism. 


Proor. Write ¢=[fo,..., fy] with f,eK(C), and choose a uniformizer 


24 II. Algebraic Curves 


te K(C) for C at P. Let 


n= min {ord f;}. 
O<i<N 


Then 
ordp(t"f;) > Ofor alli and ord,(t™"f) = 0 for some j, 
so each t "f; is regular at P and (t""f;)(P) # 0. Therefore ¢ is regular at P. 0 


For examples where (2.1) is false if P is not smooth or C has dimension 
greater than 1, see (1.3.6) and (1.3.7). 


Example 2.2. Let C/K be a smooth curve and fe K(C) a function. Then f 
defines a rational map, which we also denote by f, 


f:Cc->P! 
P-[f(P), 1). 


From (2.1), this map is actually a morphism. It is given explicitly by 


f(P) = [f(P),1] _ if f is regular at P 
~ ULL, 07 if f has a pole at P. 
Conversely, let 
¢:C>P} 
=(f9] 


be a rational map defined over K. Then either g = 0, in which case ¢ is the 
constant map ¢ = [1, 0]; or else ¢ is the map corresponding to the function 
t/g€K(C). Denoting the former map by o, we thus have a one-to-one 
correspondence 

K(C) vu {00} @ {maps C > P! defined over K}. 


We will often implicitly identify these two sets. 


Theorem 2.3. Let ¢:C, > C, be a morphism of curves. Then ¢ is either con- 
stant or surjective. 


Proor. [Har, II.6.8] or [Sha 2, I §5, thm. 4]. Oo 


Now let C,/K and C,/K be curves and ¢: C, > C, a non-constant rational 
map defined over K. Then composition with ¢ induces an injection of func- 
tion fields fixing K, 


g* : K(C,) > K(C,) 
o*f = fog. 
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Theorem 2.4. Let C,/K and C,/K be curves. 

(a) Let 6: C, > C, be a non-constant map defined over K. Then K(C,) is a 
finite extension of 6*K(C,). 

(b) Let 1: K(C,) > K(C,) be an injection of function fields fixing K. Then 
there exists a unique non-constant map ¢: C, — C, (defined over K) such that 
o* =1. 

(c) Let K < K(C,) be a subfield of finite index containing K. Then there 
exists a smooth curve C'/K, unique up to K-isomorphism, and a non-constant 
map @: C > C’ defined over K, so that *K(C’) = K. 


ProoF. (a) [Har, IT.6.8]. 

(b) Let C, < P%; and for each i, let g;¢ K(C,) be the function on C, corre- 
sponding to X;/Xo. (Relabeling if necessary, we will assume that C, is not 
contained in the hyperplane X, = 0.) Then 


) =. [1, 191,-++519n] 


gives a map ¢: C, > C, with ¢* =1. (Note @ is not constant, since the g,’s 
cannot all be constant and : is injective.) Finally, if wy = [fo,..., fy] is an- 
other map with y* = 1, then for each i, 


Fil fo = "9: = P"9: = i, 
which shows that w = ¢. 
(c) [Har, 1.6.12] for the case that K is algebraically closed. The general case 
may be done similarly, or it may be deduced from the algebraically closed 
case by examining Gg,x-invariants. oO 


Definition. Let ¢ : C, + C, be a map of curves defined over K. If ¢ is constant, 
we define the degree of ¢ to be 0; otherwise we say that ¢ is finite, and define 
its degree by 


deg ¢ = [K(C,): $*K(C,)]. 


We say that ¢ is separable (inseparable, purely inseparable) if the extension 
K(C,)/¢*K(C,) has the corresponding property, and we denote the separable 
and inseparable degrees of the extension by deg, ¢ and deg; ¢ respectively. 


Definition. Let ¢ : C, + C, be a non-constant map of curves defined over K. 
From (2.4a), K(C,) is a finite extension of ¢*K(C,). We define 
oy: K(C,) > K(C,) 
by using the norm map relative to ¢*, 
$y = (b*) * ONgc,yp*KtC2): 


Corollary 2.4.1. Let C, and C, be smooth curves, and let @: C, > C, be a map 
of degree 1. Then @ is an isomorphism. 
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Proor. By definition, deg ¢ = 1 means that ¢*K(C,) = K(C,), so ¢* is an 
isomorphism of function fields. Hence from (2.4b), corresponding to the in- 
verse map (¢*)~!: K(C,) S K(C,), there is a rational map yw: C, > C, such 
that w* = (¢*)~!; and since C, is smooth, w is actually a morphism (2.1). 
Finally, since (¢ 0 W)* = w* o g* and (Wo ¢)* = o* o* are the identity maps 
on K(C,) and K(C,) respectively, the uniqueness assertion of (2.4b) implies 
that dow and wod are the identity maps on C, and C,, so ¢ and w are 
isomorphisms. oO 


Remark 2.5. The above result (2.4) shows the close connection between 
curves and their function fields. This can be made precise by stating that the 
following map is an equivalence of categories. (See [Har, I §6] for details.) 


Objects: smooth curves Objects: extensions K/K of 
defined over K transcendence degree 1 with 
Maps: non-constant KAK=K 

. . lea . . . . 
rational maps (equivalently Maps: field injections fixing 
surjective morphisms) K 


defined over K 
C/K ~~~ K(C) 
$:C, + C, ~~~ $*: K(C,) > K(C,). 


Example 2.5.1. Hyperelliptic Curves. We assume char(K) #2. Let f(x)e 
K [x] be a polynomial of degree d, and consider the affine curve C,/K given 
by the equation 


Co: y? = f(x) = dox? + ax t +0 + ay. 
Suppose that the point P = (xo, yo) € Cp is singular. Then 
2yo = f'(Xo) = 9, 
which means that yp = 0 and x, is a double root of f(x). Hence if we assume 
that disc( f) 4 0, then the affine curve y* = f(x) will be non-singular. 

Now, if we treat Cy as giving a curve in P* by homogenizing its affine 
equation, then one easily checks that the point at infinity will be singular 
whenever d > 4. On the other hand, (2.4c) assures us that there exists some 
smooth projective curve C/K whose function field equals K(C,) = K(x, y). 
The problem is that this smooth curve is not a subset of P?. 


For example, let us consider the case d = 4. (See also exer. 2.14.) Then Cy 
has an affine equation 


Co y? = Agx* + a,x? + a,x? + a3x + ay. 
Consider the map 
[1, x, y, x7]: Cy > P. 
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Letting [X), X,, X2, X3] =[1, x, y, x7], the ideal of the image clearly con- 
tains the homogeneous polynomials 


F = X3Xo = Xe 
and 
G = X2X2 — a, X# — a, X3X_ — a, X?2X2 — a,X,X3 — a,Xé. 


However, the zero set of these two polynomials cannot be the desired curve 
C, since it includes the line X, = X, = 0. But if we substitute X? = X,X; into 
G and cancel an X, we obtain the quadratic polynomial 


H al Xx} = a) X? — a,X,X;, aed a,XoX3 aaa a,XoX, == a,Xé. 


Now we claim that the ideal generated by F and H will give a smooth curve 
C. 

To see this, note first that if X) 4 0, then dehomogenization with respect to 
Xp gives the affine curve (setting x = X,/Xo, y = X,/Xo, z = X3/Xo) 


Z=Xx? — y? =agz* +.a,xZ + yz + a3X + 4. 


Substituting the first equation into the second gives us back the original 
curve Cy. Thus Cy = CO {Xp # O}. 

Next, if X) = 0, then necessarily X, = 0, and then X, = +,./ao X,. Thus C 
has two points [0, 0, +,/ay , 1] on the hyperplane X, = 0. (Note that ay 4 0, 
since we have assumed that f(x) has degree exactly 4.) To check that C is 


non-singular at these points, we dehomogenize with respect to X;, setting 
u = Xo/X3,v = X,/X3, w = X,/X;. This gives the equations 


u=v w=a)+a,v+a,u+a,uv + ayu’, 


from which we obtain the single affine equation 
w? = dy) + 4,0 + anv” + azv? + ayv*. 


Since a, # 0, the points (v, w) = (0, +,/ao) are non-singular. We summarize 
the above discussion in the following proposition, which will be used in 
chapter X. 


Proposition 2.5.2. Let f(x)eK[x] be a polynomial of degree 4 with 
disc( f) # 0. There exists a smooth projective curve C < P? with the following 
properties. 


(i) The intersection of C with A? = {X, # 0} is isomorphic to the affine curve 


2 
y = f(x). 
(ii) Let f(x) = agx* +-*:+ a4. Then the intersection of C with the hyper- 


plane {X» = 0} consists of the two points {[0, 0, +./do, 1]}. 


We next look at the behavior of a map in the neighborhood of a point. 
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Definition. Let ¢: C, + C, be a non-constant map of smooth curves, and let 
PeéC,. The ramification index of $ at P, denoted e,(P), is given by 
eg(P) = ordp(d*typ)), 


where typ) € K(C;) is a uniformizer at (P). Note that e4(P) > 1. We say that ¢ 
is unramified at P if e,(P) = 1; and ¢ is unramified if it is unramified at every 
point of C,. 


Proposition 2.6. Let ¢: C, — C, be a non-constant map of smooth curves. 
(a) For every QEC,, 


>» —eg(P) = deg ¢. 
Ped (Q) 
(b) For all but finitely many QEC,, 
#9 *(Q) = deg,(¢). 


(c) Let 6: C, + C; be another non-constant map. Then for all PEC, 
CyoglP) = eg(P)e, (PP). 


Proor. (a) [Har, II.6.9] (take Y = P! and D = (0)), [La 2, I, prop. 21], [Se 9, 

I, Prop. 10], or [Sha 2, III §2, thm. 1]. 

(b) [Har, 11.6.8]. 

(c) Let tgp and t,p be uniformizers at the indicated points. By definition, 
tei) and W*tygp 

have the same order at ¢(P). Applying ¢* and taking orders at P yields 


ordp(g*tge?”) = ordp((W9)*tygr), 
which is the desired result. oO 


Corollary 2.7. A map ¢:C,—C, is unramified if and only if #¢71(Q) 
= deg(¢) for all QEC,. 


Proor. From (2.6a), #¢~1(Q) = deg ¢ is equivalent to 
d  eg(P) = #67 1(Q). 
Peg1(Q) 
Since e4(P) > 1, this occurs if and only if each eg(P) = 1. oO 


Remark 2.8. Proposition 2.6 is exactly analogous to the theorems describing 
the ramification of primes in number fields. Thus let L/K be number fields. 
Then (2.6a) is the analogue of the Le; f; = [K : Q] theorem ([La 2, I, prop. 
21], [Se 9, I, prop. 10]), (2.6b) is similar to the fact that only finitely many 
primes of K ramify in L, and (2.6c) gives the multiplicativity of ramification 
degrees in towers of fields. Of course, (2.6) and the analogous results for 
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number fields are both merely special cases of the basic theorems describing 
finite extensions of Dedekind domains. 
Example 2.9. Consider the map 
¢:P!+P! 
OLX, Y]) = [X°(X — YY, ¥°]. 
Then ¢ is unramified everywhere except the points [0, 1] and [1, 1]. Further, 
eg([0,1])=3 and e,([1, 1]) = 2; 
sO 


eg(P) = eg(L0, 1]) + eg(L1, 1]) = 5 = deg ¢, 
Peg-"0, 1) 


which is in accordance with (2.6a). 


The Frobenius Map 


Assume that char(K) = p > 0, and let g = p’. For any polynomial fe K [X], 
let f be the polynomial obtained from f by raising each coefficient of f to 
the q'" power. Then for any curve C/K we can define a new curve C/K by 
describing its homogeneous ideal as follows: 


1(C) = ideal generated by { f: feI(C)}. 


Further, there is a natural map from C to C™, called the q'*-power Frobenius 
morphism, given by 


@:C7C® 
O(LXo9,---> Xnl) = Lx, ..., x7]. 


To see that ¢ actually maps C to C®, it suffices to show that for every 
P = [Xo,.--s Xn] €C, O(P) is a zero of each generator f™ of 1(C™). But 


SOG(P)) = F(X, «5 x0) 
= (f(Xo,---, X,))4 since char(K) = p 
=0 since f(P) = 0, 


which gives the desired result. 


Example 2.10. Let C be the curve in P? given by the single equation 
C:Y?Z = X3 + aXx?Z + bZ?. 
Then C has the equation 
C%:Y¥?Z = X3 + atX?Z + bIZ?. 
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The next proposition describes the basic properties of the Frobenius map. 


Proposition 2.11. Let K be a field of characteristic p > 0, q = p’, C/K a curve, 
and ¢: C + C® the q'*-power Frobenius morphism described above. 


(a) o*K(C) = K(C)* (= {f4: fe K(C)}). 
(b) ¢ is purely inseparable. 
(c) deg @ = q. 


[N.B. We are assuming that K is perfect. If K is not perfect, (b) and (c) remain 
true, but (a) must be modified. ] 


ProorF. (a) Using the description (1.2.9) of K(C) as consisting of quotients f/g 
of homogeneous polynomials of the same degree, we see that ¢*K(C) is the 
subfield given by quotients 


O*(£/9) = f(XSs --+» XAV/G(XGs «+> Xn) 
Similarly, K(C)? is the subfield given by quotients 
S(Xo5 «02s Xn)9/G(Xo, --+> Xn)” 
But since K is perfect, we know that every element of K is a q'*-power, so 
(K[X,.--, X,J)! = KLXG..., X71. 


Thus the set of quotients f(X})/g(X#) and the set of quotients f(X;)*/g(X;)* 
give the exact same subfield of K(C). 

(b) Immediate from (a). 

(c) Choose t€ K(C) to be a uniformizer at some smooth point Pe C, so K(C) 
is separable over K(f) (1.4). Consider the tower of fields 


K(C) 
separable | purely 
K(C)4(t) inseparable 
K(t) K(C)! 
It follows that K(C) = K(C)*(t), so from (a), 
deg ¢ = [K(C)%(t): K(C)*]. 


Now t%eK(C)‘, so in order to prove that deg ¢ = q, we need merely show 
that ¢”’?¢ K(C)*. But if 7” = f4 for some f €¢ K(C), then 


q/p = ordp(t”””) = q ordp(f), 


which is clearly impossible. | 


Corollary 2.12. Every map w:C,—>C, of (smooth) curves over a field of 
characteristic p > 0 factors as 
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A 
C.4.0°5¢;, 


where q = deg,(w), ¢ is the q'*-power Frobenius map, and A is separable. 


Proor. Let K be the separable closure of y*K(C,) in K(C,). Then K(C,)/K is 
purely inseparable of degree q, so K(C,)? < K. But from (2.11a, c), 


K(C,)" = $*(K(C{?)) and [K(C,): 6*(K(C{))] = @. 


Hence by comparing degrees, K = 6*K(C{”). We now have the tower of 
function fields 


K(C,)/6*K(C?)/W*K(C,), 
and from (2.4b) this corresponds to maps 


A 
C5ce Sc, 
Sat 


v O 
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The divisor group of a curve C, denoted Div(C), is the free abelian group 
generated by the points of C. Thus a divisor De Div(C) is a formal sum 


D> Fair 


with npéZ and np = 0 for all but finitely many PeC. The degree of D is 
defined by 


deg D= )° np. 


Pec 


The divisors of degree 0 form a subgroup of Div(C), which we denote by 
Div°(C) = {De Div(C) : deg D = 0}. 


If C is defined over K, we let Gg,x act on Div(C) (and Div°(C)) in the 

obvious way, 
D? = ¥° np(P’). 
PeC 

Then D is defined over K if D’ = D for all o€ Gg. (N.B. If D =n, (P,) + °° + 
n,(P,) with n,,...,, # 0, then to say that D is defined over K does not mean 
that P,,..., P.¢ C(K). It suffices for Gg,x to permute the P;’s in an appropriate 
fashion.) We denote the group of divisors defined over K by Div,(C), and 
similarly for Div&(C). 

Assume now that the curve C is smooth, and let f ¢ K(C)*. Then we can 
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associate to f the divisor div(/) given by 


div(f) = )" ordp(f)(P). 


PeC 


(This is a divisor by (1.2).) Now if o € Gg/x, then one easily sees that 
div( f’) = div(f)’. 


In particular, if f ¢ K(C), then div( f) € Div,(C). 
Since each ord, is a valuation, we see that the map 


div : K(C)* > Div(C) 


is a homomorphism of abelian groups. It is analogous to the map which 
sends an element of a number field to the corresponding fractional ideal. This 
prompts the following definitions. 


Definition. A divisor D € Div(C) is principal if it has the form D = div(f) for 
some f € K(C)*. Two divisors D,, D, are linearly equivalent, denoted D, ~ D,, 
if D, — D, is principal. The divisor class group (or Picard group) of C, 
denoted Pic(C), is the quotient of Div(C) by the subgroup of principal 
divisors. We let Pic,(C) be the subgroup of Pic(C) fixed by Ggx. [N.B. In 
general, Pic,(C) is not the quotient of Div,(C) by its subgroup of principal 
divisors. But see (exer. 2.13).] 


Proposition 3.1. Let C be a smooth curve and f € K(C)*. 
(a) div( f) = Oif and only if f € K*. 
(b) deg(div( f)) = 0. 


ProoF. (a) If div(f) = 0, then f has no poles, so the corresponding map 
f:C—>P! (cf. 2.2) is not surjective. Therefore it is constant (2.3), so fe K*. 
The converse is clear. 

(b) [Har, I1.6.10], [Sha 2, III 2, cor. to thm. 1], or see (3.7) below. oO 


Example 3.2. On P’, every divisor of degree 0 is principal. To see this, 
suppose that D = Xn,(P) has degree 0. Writing P = [ap, Bp] €P', we see that 
D is the divisor of the function 


I] (eX — apY)”. 
PeP! 
(Note this function is in K(P1) because Enp = 0.) We have thus proven that 
for P', the degree map 
deg : Pic(P!) > Z 
is an isomorphism. It turns out that the converse is also true: if C is a smooth 


curve and Pic(C) ~ Z, then C is isomorphic to P?. 


Example 3.3. Assume that char(K) # 2. Let e,, e2, e;€K be distinct, and 
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consider the curve 
C:y? = (x — e)(x — e)(x — es). 


One can check that C is smooth; and it has a single point at infinity, which we 
will denote by P,,. For i = 1, 2, 3, let P, = (e;, 0)E C. Then 


div(x — e;) = 2(P,) — 2(P..) 
and 
div(y) = (P,) + (P2) + (Ps) — 3(P..). 


From (3.1b) we see that the principal divisors form a subgroup of Div°(C). 


Definition. The degree 0 part of the divisor class group of C, which we denote 
by Pic°(C), is the quotient of Div°(C) by the subgroup of principal divisors. 
Further, Picg(C) is the subgroup of Pic°(C) fixed by Gg,x. 


Remark 3.4. Proposition 3.1 and the above definitions may be summarized 
by saying that there is an exact sequence 
1 K* + K(C)* 3 Div(C) > Pic®(C) 3 0. 


This sequence is the function field analogue of the fundamental exact 
sequence in algebraic number theory, which for a number field K reads 


om units 4 K*—> fractional = ideal class = 
of K ideals of K group of K ; 
Now let ¢: C, > C, be a non-constant map of smooth curves. As we have 
seen, ¢ induces maps on the function fields of C, and C,, 


¢*:K(C,) > K(C,) and ¢,:K(C,) > K(C)). 


We similarly define maps on the divisor groups as follows. 


o* : Div(C,) > Div(C,) ¢, : Div(C,) > Div(C,) 
(Q)> }% eg(P)(P) (P) > (@P), 
Pe@¢ \(Q) 


and extend Z-linearly to arbitrary divisors. 


Example 3.5. Let C be a smooth curve, fe K(C) a non-constant function, and 
f:C—P! the corresponding map (2.2). Then directly from the definitions, 


div( f) = f*((0) — ()). 
Proposition 3.6. Let 6: C, > C, be a non-constant map of smooth curves. 
(a) deg(¢*D) = (deg ¢)(deg D) for all D € Div(C,). 
(b) d*(div f) = div(¢*f) for all f ¢ K(C,)*. 
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(c) deg(¢,D) = deg D for all De Div(C,). 
(d) ¢,(div fy= div(¢, f) for all f eK(C,)*. 
(e) ¢, 0 ¢* acts as multiplication by deg ¢ on Div(C,). 
(f) If w:C, > C, is another such map, then 
(Wod)* = GF ow* and (WOd)y = Wy Ody. 


ProoF. (a) Follows directly from (2.6a). 
(b) Follows from the definitions and the easy fact (exer. 2.2) that for all 
PeCc,, 


ordp(P*f) = eg(P) ordgp(f). 


(c) Clear from the definitions. 

(d) [La 2, ch. 1, prop. 22] or [Se 9, I, prop. 14]. 

(e) Follows directly from (2.6a). 

(f) The first equality follows from (2.6c). The second is obvious. Oo 


Remark 3.7. From (3.6) we see that ¢* and ¢, take divisors of degree 0 to 
divisors of degree 0, and principal divisors to principal divisors. They thus 
induce maps 


g* : Pic°(C,) > Pic°(C,) and ¢,,: Pic°(C,) > Pic°(C,). 
In particular, if f ¢ K(C) gives the map f : C > P', then 
deg div( f) = deg f*((0) — (co)) = deg f — deg f = 0. 
This provides a proof of (3.1b). 
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In this section we will discuss the vector space of differential forms on a curve. 
This vector space will be useful for two different purposes. First, it will perform 
the traditional calculus role of linearization. (See (III §5), especially (III.5.2).) 
Second, it will give a useful criterion for determining when an algebraic map 
is separable. (See (4.2c) below and its utilization in the proof of (III.5.5).) Of 
course, this latter is also a familiar use of calculus, since a field extension is 
separable if and only if the minimal polynomial of each element has non-zero 
derivative. 


Definition. Let C be a curve. The space of (meromorphic) differential forms on 
C, denoted Qc, is the K(C)-vector space generated by symbols of the form dx 
for x € K(C), subject to the usual relations: 

(i) d(x + y)=dx + dy for all x, ye K(C); 
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(ii) d(xy) = xdy + ydx for all x, ye K(C); 
(iii) da = 0 for allaeK. 


Remark 4.1. There is, of course, a more functorial definition of Q,. See, for 
example, [Mat, ch. 10], [Har, I1.8], or [Rob, II §3]. 


Let ¢:C, > C, be a non-constant map of curves. Then the natural map 
¢@* : K(C,) > K(C,) induces a map on differentials 
b* :Q¢, 7 Qe, 


o* (5 fax, = Vi G*f)db*x;). 
This map will provide a useful criterion for determining when ¢ is separable. 


Proposition 4.2. Let C be a curve. 
(a) Q¢ is a 1-dimensional K(C)-vector space. = 7 
(b) Let xe K(C). Then dx is a K(C) basis for Q¢ if and only if K(C)/K(x) is a 
finite separable extension. 
(c) Let 6: C, + C, be anon-constant map of curves. Then ¢ is separable if and 
only if the map 
P* 2 QX¢, 7 Qe, 
is injective (equivalently, non-zero.) 
ProorF. (a) [Mat, 27.A, B], [Rob, I1.3.4], or [Sha 2, IIT §4, thm. 3]. 
(b) [Mat, 27.A, B] or [Sha 2, III §4, thm. 4]. : 
(c) Using (a) and (b), choose yeK(C,) so that Qc, = K(C,)dy and 


K(C,)/K( y) is a separable extension. Note ¢*K(C,) is then separable over 
o*K(y) = K(g*y). Now 


¢* is injective <> d(¢*y) 4 0 
<> d(¢*y) is a basis for Qe, (from (a)) 
<> K(C,)/K(@*y) is separable (from (b)) 
<> K(C,)/¢*K(C,) is separable, 
where the last equivalence follows because we already know that 


¢*K(C,)/K(¢*y) is separable. oO 


Proposition 4.3. Let Pe C, and let te K(C) be a uniformizer at P. 
(a) For every weEQ¢ there exists a unique function gé K(C), depending on w 
and t, such that 

o=gadt. 


We denote g by w/dt. 
(b) Let f € K(C) be regular at P. Then df/dt is also regular at P. 
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(c) The quantity 
ord p(w/dt) 

depends only on w and P, independent of the choice of uniformizer t. We call 
this value the order of w at P, and denote it by ordp(@). 
(d) Let xe K(C) such that K(C)/K(x) is separable and x(P) = 0. Then for all 
feK(C), 

ordp( f dx) = ordp(f) + ordp(x) — 1. 
(e) For all but finitely many PEC, 


ord p(w) = 


ProorF. (a) This follows from (1.4) and (4.2a, b). 

(b) [Har, comment following IV.2.1] or [Rob, II.3.10]. 

(c) Let t’ be another uniformizer at P. Then from (b), dt/dt’ and dt'/dt are both 
regular at P, so ordp(dt'/dt) = 0. Since 


@ = gdt' = g(dt'/dt)dt, 
the desired result follows. 
(d) Write x = ut” with n = ordp(x) > 1, so ordp(u) = 0. Then 
dx = [nut"™! + (du/dt)t"] dt. 
Now from (b), du/dt is regular at P, so provided n # 0, the first term domi- 
nates. Hence we obtain the desired equality 
ordp( f dx) = ordp( fnut"~! dt) = ordp(f) +n — 1. 


Finally, if char K = p > 0 and p|n, then we see that (x/u)"/” e K(C). But since 
K(C) is Sate over K(x, u), this implies x/ueK, which contradicts 
ord p(x) > 

(e) Let 2G) so that K(C)/K(x) is separable, and write w = f dx. From 
(Har, IV.2.2a], the map x : C > P' ramifies at only finitely many points of C. 
Hence discarding finitely many points, we may restrict our attention to 
points PEC such that f(P) 4 0, 00, x(P) # 00, and x: C > P? is unramified at 
P. But the latter two conditions imply that x — x(P) is a uniformizer at P, so 


ordp(w) = ordp( fd(x — x(P))) = 0. g 


Definition. Let @ €Q,. The divisor associated to w is 


div(w) = }° ordp(w)(P)e€ Div(C). 
Pec 


Definition. A differential @ €Q¢ is regular (or holomorphic) if 
ordp(a) > 0 for all PEC. 
It is non-vanishing if 


ord,(w) < 0 for all PEC. 
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Remark 4.4. If @,, @,€Q¢ are non-zero differentials, then (4.2a) implies that 
there is a function f € K(C)* so that w, = fw,. Thus 


div(w,) = div(f) + div(a,), 
which shows that the following definition makes sense. 
Definition. The canonical divisor class on C is the image in Pic(C) of div(@) for 


any non-zero differential w€Q,. Any divisor in this divisor class is called a 
canonical divisor. 


Example 4.5. Let us show that there are no holomorphic differentials on P?. 
First, if t is a coordinate function on P', then 
div(dt) = —2(00). 
(To see this, note that for all ae K, t — ais a uniformizer at «, so 
ord, (dt) = ord,(d(t — «)) = 0. 
However, at oo € P?, 1/t is a uniformizer, so 
ord,,(dt) = ord,,(—t?d(1/t)) = —2.) 


Thus dt is not holomorphic. But now for any non-zero we Qpu, (4.3a) implies 
that 


deg div(w) = deg div(dt) = —2, 


so w cannot be holomorphic either. 


Example 4.6. Let C be the curve 
C:y? = (x — e,)(x — e2)(x — es), 
where we continue with the notation of (3.3). Then 
div(dx) = (P,) + (Pp) + (P3) — 3(P..): 
(Note dx = d(x — e;) = —x?d(1/x).) We thus see that 
div(dx/y) = 0. 


Hence dx/y is both holomorphic and non-vanishing. 
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Let C be a curve. We put a partial order on Div(C) as follows. 


Definition. A divisor D = Xnp(P) € Div(C) is positive (or effective), denoted by 
D=>0, 
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if np > 0 for every PEC. Similarly, if D,, D, e Div(C), then we write 
D, >D, 
to indicate that D, — D, is positive. 
Example 5.1. Let f ¢ K(C)* be a function which is regular everywhere except 


at one point Pe C, and such that it has a pole of order of most n at P. These 
requirements on f may be succinctly summarized by the inequality 


div( f) > —n(P). 
Similarly, 
div( f) 2 (Q) — n(P) 
says that in addition, f has a zero at Q. Thus divisorial inequalities are a 
useful tool for describing poles and/or zeros of functions. 
Definition. Let D € Div(C). We associate to D the set of functions 
L(D) = {f eR(C)* :div(f) > —D} v {0}. 


LD) is a finite-dimensional K-vector space (see (5.2b) below), and we denote 
its dimension by 


¢(D) = dimg L(D). 
Proposition 5.2. Let D € Div(C). 
(a) If deg D < 0, then 
L(D) = {0} and ¢D)=0. 


(b) L(D) is a finite-dimensional K-vector space. 
(c) If D'’eDiv(C) is linearly equivalent to D, then 


LD) ~ LD’); and so &(D) = “(D’). 


ProoF. (a) Let fe Y(D) with f # 0. Then using (3.1b), 
0 = deg div(f) > deg(—D) = —deg D, 


so deg D > 0. 
(b) [Har, II.5.19] or (exer. 2.4). 
(c) If D = D’ + div(g), then the map 


¥(D) > £(D') 
f> fg 
is an isomorphism. | 
Example 5.3. Let K- € Div(C) be a canonical divisor on C, say 


Ke = div(a). 
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Then each function f €¢ #(K_) has the property that 
div(f) > —div(), so div( fw) > 0. 


In other words, fa is holomorphic. Conversely, if f@ is holomorphic, then 
f ¢ £(Ke). Since every differential on C has the form fm for some f, we have 
thus established an isomorphism of K-vector spaces 


L(Ke) ~ {wEQe: w is holomorphic}. 
The dimension /¢(K,) of these spaces is an important invariant of the curve C. 
We are now ready to state one of the most fundamental results in the 
algebraic geometry of curves. Its importance, as we will see amply demon- 


strated (cf. III §3), lies in its potential for allowing us to describe the functions 
on C having prescribed zeros and poles. 


Theorem 5.4 (Riemann—Roch). Let C be a smooth curve and K, a canonical 
divisor on C. There is an integer g > 0, called the genus of C, such that for 
every divisor Dé Div(C), 


¢(D) — ¢(Kc — D) = deg D—g +1. 


Proor. For a fancy proof using Serre duality, see [Har, IV §1]. A more 
elementary proof, due to Weil, is given in [La 6, Ch. I]. oO 


Corollary 5.5. (a) ¢(K-) = g. 
(b) deg Kc = 2g — 2. 
(c) If deg D > 2g — 2, then 


f(D) = deg D—g + 1. 
ProoF. (a) Use (5.4) with D = 0. Note that Y(0) = K from (1.2), so 2(0) = 1. 


(b) Use (a) and (5.4) with D = Ke. 
(c) From (b), deg(K, — D) < 0. Now use (5.4) and (5.2a). oO 


Example 5.6. Let C = P’. Then there are no holomorphic differentials on C 
(4.5), so using the identification from (5.3), we see that 7(K-) = 0. Thus by 
(5.5a), P! has genus 0, and the Riemann—Roch theorem reads 


{(D) — ¢(—2(00) — D) = deg D + 1. 
In particular, if deg D > —1, then 
¢(D) = deg D + 1. 
(See exer. 2.3b.) 


Example 5.7. Let C be the curve 
Czy? = (x — e:)(x — e2)(x — e3), 
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where we continue with the notation of (3.3) and (4.6). We have seen (4.6) that 
div(dx/y) = 0, 
so the canonical class on C is trivial (i.e. we may take K, = 0). Hence from 
(5.5a), 
g = ¢(Kc) = (0) = 1, 
so C has genus 1. The Riemann—Roch theorem (actually (5.5c)) then reads 
¢(D) = deg D provided deg D > 1. 
Let’s look at several special cases. 


(i) Let PEC. Then ¢((P)) = 1. But Y((P)) certainly contains the constant 
functions. This shows that there are no functions on C having a single 
simple pole. 

(ii) Recall P,, is the point at infinity on C. Then ¢(2(P,,)) = 2, and {1, x} 
provides a basis for #(2(P.,)). 

(iii) Similarly {1, x, y} is a basis for F(3(P,,)), and {1, x, y, x7} is a basis for 
L(A(P.,)). 

(iv) Now the functions 1, x, y, x”, xy, x3, y? are all in Y(6(P,,)). But 7(6(P,,)) 
= 6, so it follows that these functions are K-linearly dependent. Of 
course, the original equation used above to define C gives an equation of 
linear dependence among them. 


The next result says that if C and D are defined over K, then so is Y(D). 
Proposition 5.8. Let C/K be a smooth curve, and let De Divg(C). Then L(D) 
has a basis consisting of functions in K(C). 

Proor. Since D is defined over K, we have 
f°eL(D"))= L(D) forall fe Y(D) and o€ Gx x. 
Thus Gg x acts on Y(D), and the desired conclusion follows from the follow- 
ing general lemma. | 
Lemma 5.8.1. Let V be a K-vector space, and assume that Gg)x acts contin- 
uously on V in a manner compatible with its action on K. Let 
Vg = Vo = {vEeV: 0" = ve for all ce Gz}. 
Then 
V = K @ Vx. 
[.e. V has a basis of Gx)x-invariant vectors. ] 
ProoF. It suffices to show that every ve V is a K-linear combination of 


vectors in Vy. Choose a ve V, and let L/K be a finite Galois extension such 
that v is fixed by Gg). (The fact that Gg,x acts continuously on V means 
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precisely that the subgroup {o€ Gg,x:v’ = v} has finite index in Ggx. We 
take L to be the Galois closure of its fixed field.) Let {«,,..., «,} be a basis for 
L/K, and let {o,, ..., 6,3} = Gx. For each 1 <i <n, consider the vector 


n 
w= >, (a,v)% = Trace, )x(a;v). 
j=1 


It is clearly Gg), invariant, so w;€ Vx. Now a basic result in field theory [La 
2, III, prop. 9] says that the matrix (a7), <;, ;<, is non-singular, so each v% 
(and in particular v) is an L-linear combination of the w,s. (For a fancier 
proof, see exer. 2.12.) oO 


We conclude by giving the classic relationship connecting the genus of 
curves linked by a non-constant map. 


Theorem 5.9 (Hurwitz). Let ¢:C, — C, be a non-constant separable map of 
smooth curves. Then 


2g, — 2 > (deg ¢)(2g2 — 2) + oe (eg(P) — 1), 


where g; is the genus of C,. Further, equality holds if and only if either: 
(i) char(K) = 0; or 
(ii) char(K) = p > 0 and p does not divide e4(P) for all PEC,. 


Proor. Let wEQc,, o # 0, let PEC,, and let Q = ¢(P). Since ¢ is separable, 
¢*w # 0 (4.2c); we wish to relate ordp(¢*@) and ordg(w). Write w = f dt with 
te K(C,) a uniformizer at Q. Then letting e = e4(P), we have ¢*t = us°, where 
sis a uniformizer at P and u(P) # 0, oo. Hence 


b* eo = (*f )d(o*t) = (P*f )d(us*) = (P*f)[eus*! + (du/ds)s*]ds. 
Now ord p(du/ds) > 0 (4.3b), so we see that 
ordp(¢*@) > ordp(¢*f) + e — 1, 
with equality if and only if e 4 0 in K. Further, 
ordp(¢*f) = eg(P) ordo( f) = eg(P) ordg(a). 
Hence adding over PEC, yields 


deg div(¢*w) > oe [eg(P) ordy p(w) + eg(P) — 1] 
= VY e(P)ordg(o)+ ¥ eg(P)—-1 
QeC2 Ped 1(Q) PeC, 
= (deg ¢)(deg div()) + pa e4(P) — 1, 
where the last equality follows from (2.6a). Now Hurwitz’ theorem is a conse- 


quence of (5.4b), which says that on a curve of genus g, the divisor of any non- 
zero differential has degree 2g — 2. 
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EXERCISES 


2.1. 


2.2. 


2.3. 


2.4. 


2.5. 


2.6. 


Let R be a Noetherian local domain, M its maximal ideal, and k = R/M. Prove 
that the following are equivalent: 

(i) R is a discrete valuation ring. 

(ii) M is principal. 
(iii) dim, M/M? = 1. 
(Note this lemma was used in (1.1) to show that on a smooth curve, the local 
rings K[C]p are discrete valuation rings.) 


Let ¢:C, > C, be a non-constant map of smooth curves, f ¢ K(C,)*, PeC,. 
Then 

ordyr( f ) = e,(P) ordp(¢*f). 
Verify directly that each of the following theorems is true for the particular case 


of the curve C = P! and a non-constant map ¢: P' > P?. 
(a) (proposition 2.6) Prove that 


> e(P)=deg¢ forall Qe P'; and 
Ped-1(Q) 
#6 1(Q) = deg,(¢) for all but finitely many Qe P'. 


(b) Prove the Riemann—Roch theorem (5.4) for P?. 
(c) Prove Hurwitz’ theorem (5.9) for ¢: P! > P?. 


Let C be a smooth curve and De Div(C). Without using the Riemann—Roch 
theorem, prove: 

(a) L(D) is a K-vector space. 

(b) If deg D > 0, then 


£(D) < deg D + 1. 


Let C be a smooth curve. Prove that the following are equivalent: 
(i) C is isomorphic to P?. 

(ii) C has genus 0. 

(iii) There exist distinct points P, Q@eC with (P) ~ (Q). 


Let C be a smooth curve of genus 1. Fix a basepoint Py € C. Prove the following. 
(a) For all P, QeEC there exists a unique REC such that 


(P) + (Q) ~ (R) + (Pp). 


Denote this R by o(P, Q). 

(b) The map o:C x CC from (a) makes C into an abelian group with 
identity Pp. 

(c) Define a map 


kK: C > Pic(C) 
P > divisor class of (P) — (Pp). 
Prove that x is a bijection of sets. Hence x can be used to make C into a group, 
P+Q= xk" (k(P) + x(Q)). 
(d) Prove that the group operations on C defined in (b) and (c) are the same. 
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2; 


2.8. 


2.9. 


2.10. 


2.12. 


Let F(X, Y, Z)e KX, Y, Z] be homogeneous of degree d > 1, and suppose that 
the curve C in P? given by the equation F = 0 is non-singular. Prove that 


genus (C) = (d — 1)(d — 2)/2. 
[Hint: Define a map C > P! and use (5.9).] 


Let ¢: C, > C, be a non-constant separable map of smooth curves. 
(a) Prove that genus (C,) > genus (C,). 
(b) Prove that if C, and C, both have genus g, then one of the following is true. 
(i) g=0. 
(ii) g = 1 and ¢ is unramified. 
(iii) g > 2 and ¢ is an isomorphism. 


Let a, b, c, d be square free integers with a > b > c, and let C be the curve in P? 
given by the equation 


C:aX*4+ bY? +cZ2>4+dXYZ=0. 


Let P = [x, y, z]€C and let L be the tangent line to C at P. 

(a) Show that COL = {P, P’}, and calculate P’ = [x’, y’, z’] in terms of a, b, 
c, d, X, y, Z. 

(b) Show that if Pe C(Q), then P’e C(Q). 

(c) Let PeC(Q). Choose homogeneous coordinates for P and P’ which are 
integers satisfying gcd(x, y, z) = 1 and gcd(x’, y’, z') = 1. Prove that 


|x’y’z’| > |xyz|. 


(Note the strict inequality.) 
(d) Conclude that either V(Q) = @, or else V(Q) is infinite. 
(e)** Characterize, in terms of a, b, c, d, whether V(Q) contains any points. 


Let C be a smooth curve. The support of a divisor D = Xn,(P) € Div(C) is the set 
of points PeC for which np # 0. Now let f¢K(C)* be a function such that 
div( f) and D have disjoint supports. Then it makes sense to define 


f(D) = TT] FP. 
Pec 


Next let ¢: C, > C, be a non-constant map of smooth curves. Prove that the 
following two equalities are valid in the sense that if one side is well-defined, 
then so is the other, and they are equal. 

(a) f(¢*D) =(¢,f)(D) for feK(C,)*, De Div(C,). 

(b) f(G,D) =(¢*f)(D) for feK(C,)*, DeDiv(C,). 


. Let C be a smooth curve and f, g¢ K(C)* functions such that div( f) and div(g) 


have disjoint support. (See exer. 2.10.) Prove Weil’s reciprocity law 
f(div(g)) = gdiv(f)) 


in two steps. 

(a) Verify it directly for C = P!. 

(b) Now prove it for arbitrary C by using the map g: C > P' to reduce to the 
case already done. 


Use the extension of Hilbert’s theorem 90 (B.3.2) which says that 


2.14. 


2.15. 
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H*(Ggjx, GL,(K)) = 0 
to give another proof of (5.8.1). 


. Let C/K be a curve. 


(a) Prove that the following sequence is exact. 
1 > K* > K(C)* > Div@(C) > Pic8(C). 


(b) Suppose that C has genus 1 and that C(K) # @. Prove that the map 
Div?(C) > Pic8(C) is surjective. 


Let f(x)¢ K [x] be a polynomial of degree d > 1 with disc( f) 4 0, let Co/K be 
the affine curve given by the equation 


Cory? = f(x) = agx4 + ayxt) +++ + ag_yx + ay, 


and let g be the unique integer satisfying d — 3 < 2g <d — 1. 
(a) Let C be the closure of the image of Cy under the map 


[1, x, x?,...,x974, y]: C > Pet?, 


Prove that C is smooth and that Cn {Xp # 0} is isomorphic to Cp. C is 
called a hyperelliptic curve. 

(b) Let f*(v) = ay + ayv +°°+ + ay_yv4! + ayvt = vif (1/v). Show that C con- 
sists of two affine pieces 


Co:y? =f(x) and C,:w? = f*(v), 
“glued” together via the maps 
Co > C, Ci, > Co 
(x, y) > (1/x, y/x9**) (u,v) > (1/u, w/u9*?). 


(c) Calculate the divisor of the differential dx/y on C, and use the result to show 
that C has genus g. Check your answer by applying Hurwitz’ formula (5.9) 
to the map [1, x]: C > P!. (Note exercise 2.7 does not apply, since C ¢ P?.) 

(d) Find a basis for the holomorphic differentials on C. [Hint: Consider the set 
{x!dx/y:i=0, 1, 2,...}. How many elements are holomorphic?] 


Let C/K be a smooth curve defined over a field of characteristic p > 0, and let 
te K(C). Prove that the following are equivalent: 
(i) K(C) is a finite separable extension of K(t). 
(ii) There exists a point Pe C such that ord>(t) is relatively prime to p. 
(iii) For all but finitely many points Pe C, t — t(P) is a uniformizer at P. 
(iv) t¢ K(C)?. 


CHAPTER III 


The Geometry of Elliptic Curves 


Elliptic curves, our principal object of study in this book, are curves of genus 
1 having a specified basepoint. Our ultimate goal, as the title of the book 
indicates, is to study the arithmetic properties of these curves. In other words, 
we will be interested in analyzing their points defined over arithmetically 
interesting fields, such as finite fields, local (p-adic) fields, and global (number) 
fields. Before doing so, however, we are well-advised to study the properties 
of these curves in the simpler situation of an algebraically closed field (i.e. 
their geometry). This reflects the general principle in Diophantine geometry 
that in attempting to study any significant problem, it is essential to have a 
thorough understanding of the geometry before one can hope to make pro- 
gress on the number theory. It is the purpose of this chapter to make an 
intensive study of the geometry of elliptic curves over arbitrary algebraically 
closed fields. (The particular case of the complex numbers is studied in more 
detail in chapter VI.) 

We start in the first two sections by looking at elliptic curves given by 
explicit polynomial equations, called Weierstrass equations. Using these ex- 
plicit equations, we show (among other things) that the set of points of an 
elliptic curve forms an abelian group, and the group law is given by rational 
functions. Then in section 3 we use the Riemann—Roch theorem to study 
arbitrary elliptic curves and to show, in particular, that every elliptic curve 
has a Weierstrass equation, so the results of the first two sections in fact apply 
generally. The remainder of the chapter studies (in various guises) the al- 
gebraic maps between elliptic curves. In particular, since the points of an 
elliptic curve form a group, for each integer m there is always a 
“multiplication-by-m” map from the curve to itself. As will become apparent 
throughout this book, it would be difficult to overestimate the importance of 
these multiplication maps in any attempt to study the arithmetic of elliptic 
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curves (which will perhaps explain why we devote so much space to them in 
this chapter). 


§1. Weierstrass Equations 


Our main object of study will be elliptic curves, which are curves of genus 1 
having a specified basepoint. As we will see in section 3, every such curve can 
be written as the locus in P? of a cubic equation with only one point (the 
basepoint) on the line at 00; ie., after scaling X and Y, as an equation of the 
form 


Y*Z + a,XYZ + a, YZ? = x3 + a,X?Z + a,XZ? + agZ°. 


Here O = [0, 1, 0] is the basepoint and a,,..., a,¢K. (It will become clear 
later why the coefficients are labeled in this way.) In this section and the next, 
we will study the curves given by such Weierstrass equations, using explicit 
formulas as much as possible to replace the need for general theory. 

To ease notation, we will usually write the Weierstrass equation for our 
elliptic curve using non-homogeneous coordinates x = X/Z and y = Y/Z, 


E:y? + a,xy + a3y =x? + a,x? + a,x + dg, 


always remembering that there is the extra point O = [0, 1, 0] out at infinity. 
As usual, if a,,..., ag¢K, then E is said to be defined over K. 

If char(K) # 2, then we can simplify the equation by completing the 
square. Thus replacing y by 4(y — a,x — a3) gives an equation of the form 


E: y? = 4x? + b,x? + 2b4x + b¢, 
where 
b, = a? + 4a, 
by = 2a, + a,43, 
be = a3 + 4ag. 
We also define quantities 
bg = atdg + 4a,d6 — 4,430, + a,a3 — a3, 
C4 = b3 — 24b,, 
Cg = b3 + 36b,b, — 216b., 
A = —b3b, — 8b? — 27b2 + 9bababs, 
j=ca/A, 
w = dx/(2y + a,x + a3) = dy/(3x? + 2a,x + a4 — ayy). 
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Node : two distinct 
tangent directions 


Cusp : one 
tangent direction 


Figure 3.2 


One easily verifies that they satisfy the relations 
4b, =b,b, —b2 and 1728A =c} — c2. 
If further char(K) # 2, 3, then replacing (x, y) by ((x — 3b,)/36, y/216) elimi- 
nates the x? term, yielding the simpler equation 
E: y? = x3 — 27c,4x — 54cg. 
Definition. The quantity A given above is called the discriminant of the 


Weierstrass equation, j is called the j-invariant of the elliptic curve E, and o is 
the invariant differential associated with the Weierstrass equation. 


Example 1.1. It is easy to graph the real locus of a Weierstrass equation. 
Some representative examples are shown in Figure 3.1. If A = 0, then we will 
see that the curve is singular (1.4). Two sorts of behavior can occur, as 
illustrated in Figure 3.2. 

With this example in mind, we consider the following situation. Let P = 
(Xo, Yo) be a point satisfying a Weierstrass equation 


f(x, y) = y? + ayxy + agy — x3 — a,x? — ax — ag = 0. 
Assume that P is a singular point on the curve f(x, y) = 0, so (1.1.5) 
Of/Ox(P) = Of/dy(P) = 0. 
Then the Taylor expansion of f(x, y) at P has the form 
f(x, y) oa f (Xo, Yo) 
= L(y — Yo) — «(x — Xo) L(Y — Yo) — B(x — Xo)] — (x — x0)* 
for some a, Be K. 


Definition. With notation as above, the singular point P is a node if « # B. In 
this case, the lines 
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Y—Yo=4(X—Xo) and y— yo = B(x — Xo) 


are the tangent lines at P. Similarly, P is a cusp if « = B, in which case the 
tangent line at P is given by 


Y — Vo = a(X — Xo). 


To what extent is the Weierstrass equation for an elliptic curve unique? As 
we will see (3.1(b)), assuming the line at infinity (i.e. the line Z = 0 in P?) is to 
intersect E only at [0, 1, 0], then the only change of variables fixing [0, 1, 0] 
and preserving the Weierstrass form of the equation is 


x=u?x' +7, 
y=usy’ + usx' +t, 


with u, r, s, te K, u # 0. It is now a simple (but tedious) matter to make this 
substitution and compute the a; coefficients (and associated quantities) for 
the new equation. The results are compiled in Table 1.2. 

It is now clear why the j-invariant has been so named; it is an invariant of 
the isomorphism class of the curve, and does not depend on the particular 
equation chosen. For algebraically closed fields, the converse is true, a fact 
which we will establish below (1.4b). 


Remark 1.3. As we have seen, if the characteristic of K is different from 2 and 
3, then any elliptic curve over K has a Weierstrass equation of a particularly 
simple kind. Thus any proof which involves extensive algebraic manipulation 
with Weierstrass equations (such as (1.4) below) tends to be much shorter if 
K is so restricted. On the other hand, even if one is primarily interested in 
characteristic 0 (e.g. K = Q), an important tool is the process of reducing the 


Table 1.2 


ua, = a, + 2s 
ua, = a, — sa, + 3r — 8? 
wa, =a; +7ra, + 2t 
uta, = a4 — sa, + 2ra, —(t + rs)a, + 3r? — 2st 
u°ag = ag + rag + r?a, +r? — ta; —t? —rta, 
u?b, = by + 12r 
utbi, = b, + rb, + 6r? 
u®bi, = be + 2rb, + rb, + 47? 
uSby = by + 3rb, + 3r2by + r°b, + 3r* 


utc, = C4 

u®ce = C6 
uA’ =A 
jsj 


uto’ =a 
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coefficients of an equation modulo p for various primes p (including p = 2 
and p = 3). So even for K = Q it is important to understand elliptic curves in 
all characteristics. Consequently, we will adopt the following policy. All 
theorems will be stated for a general Weierstrass equation. However, if it 
makes the proof substantially shorter, we will make the assumption that the 
characteristic of K is not 2 or 3, and give the proof in this case. Then, in the 
interest of completeness, we will return to these theorems in appendix A and 
give the proofs for general Weierstrass equations and arbitrary characteristic. 

Now if the characteristic of K is not 2 or 3, we may assume that our elliptic 
curve(s) have Weierstrass equations(s) of the form 


E:y?=x3+ Ax+B. 

This equation has associated quantities 

A = —16(4A? + 27B?), = j = 1728(4A)3/A. 
The only change of variables preserving this form of the equation is 

x=u?x', y=u5y’ — forsomeueK*; 
and then 
u*A’ = A, u°B’ = B, u?A' =A, 

Proposition 1.4. (a) The curve given by a Weierstrass equation can be classified 
as follows. 


(i) It is non-singular if and only if A 4 0. 
(ii) It has a node if and only if A = 0 and c, # 0. 
(ili) It has a cusp if and only if A = c, = 0. 


(In case (ii) and (iii), there is only the one singular point.) 

(b) Two elliptic curves are isomorphic (over K) if and only if they have the same 
j-invariant. 

(c) Let jg¢K. Then there exists an elliptic curve (defined over K(j,)) with j- 
invariant equal to jo. 


ProoF. (a) Let E be given by the Weierstrass equation 


E:f(x, y) = y? + a,xy + a3y — x3 — a,x? — a,x — ag = 0. 


We start by showing that the point at infinity is never singular. Thus we look 
at the curve in P? with homogeneous equation 


F(X, Y, Z) = Y*Z +a,XYZ + a,YZ? — X3 — a,X’*Z — a,XZ? —a,Z? 
=0 
and at the point O = [0, 1, 0]. Since 
OF/0Z(0) = 1 40, 


we see that O is a non-singular point on E. 
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Next suppose that E is singular, say at Py = (Xo, yo). The substitution 
X=X'+Xq Y=y't+yVo 


leaves A and c, invariant (1.2), so without loss of generality we may assume 
that E is singular at (0, 0). Then 


ag¢=f0,0=0 a,=df/ox0,0)=0 a, = affey(0, 0) =0, 
so the equation for E takes the form 
E: f(x, y) = y? + a,xy — a,x? — x3 =0. 
This equation has associated quantities 
C4 = (a? + 4a,)?> and A=0. 


Now by definition, E has a node (respectively cusp) at (0, 0) if the quadratic 
form y? + a,xy — a,x? has distinct (respectively equal) factors, which occurs 
if and only if its discriminant 


aj +4a,4#0 (respectively = 0). 


This proves the “only if” part of (ii) and (iii). 

To complete the proof of (i)—(ii), it remains to show that if E is non- 
singular, then A #0. To simplify the computation, we will assume that 
char(K) # 2, and consider a Weierstrass equation of the form 


E: y? = 4x3 + byx? + 2byx + be. 
(Cf. (1.3) and (A.1.2a).) Now E is singular if and only if there is a point 
(Xo, Vo) EE satisfying 
2Yo = 12x2 + 2b, Xo + 2b, = 0. 


In other words, the singular points are exactly points of the form (Xp, 0) with 
X 9 a double root of 4x3 + b,x? + 2b,x + bg = 0. This cubic polynomial has 
a double root if and only if its discriminant (which equals 16A) vanishes, 
which completes the proof of (i)—(iii). Further, since a cubic polynomial 
cannot have two double roots, E can have at most one singular point. 

(b) If two elliptic curves are isomorphic, then the transformation formulas 
(1.2) show that they have the same j-invariant. For the converse, we will 
assume that char(K) # 2, 3 (cf. (1.3) and (A.1.2b)). Let E and E’ be elliptic 
curves with the same j-invariant, say with Weierstrass equations 


E:y? =x> + Ax + B, 
ge (y'? -_ (x’)3 + A’x’ + B’. 
Then 
(44)3/(4A3 + 27B?) = (4A) (4A? + 27B), 
which yields 
A3B’? = A'>B?, 
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We look for an isomorphism of the form (x, y) = (u?x’, u°y’), and consider 
three cases. 


Case 1. A=0(j = 0). Then B ¥ 0(since A # 0), so A’ = 0, and we obtain an 
isomorphism using u = (B/B’)'. 


Case 2. B = 0(j = 1728). Then A # 0, so B’ = 0, and we take u = (A/A’)"*. 


Case 3. AB #0(j #0, 1728). Then A’B’ # 0 (since if one of them is zero, then 
they both are, contradicting A’ 4 0.) Hence taking u = (A/A’)'* = (B/B’)'” 
gives the desired isomorphism. 

(c) Assume that jy 4 0, 1728, and look at the curve 


E:y?+xy=x?3 ae — 
One computes 
A = jo/(io — 1728)? and j = jo. 
Thus E gives the desired elliptic curve (in any characteristic) provided jy # 0, 
1728. To complete the list we use the two curves 
E:y?+y=x> A=-27, j=0; 
E:y?=x3+x A=-—64, j=1728. 


(Notice that in characteristic 2 or 3, 1728 equals 0, so even in these cases 
one of the two curves will be non-singular, and so fill in the one missing value 
of j.) oO 


Proposition 1.5. Let E be an elliptic curve. Then the invariant differential w 
associated to a Weierstrass equation for E is holomorphic and non-vanishing 
(i.e. div(@) = 0). 
Proor. Let P = (Xo, yo) € E and 
F(x, y) = y? + a,xy + ayy — x3 — a,x? — ayx — ag, 
sO 
o= d(x fae Xo)/F,(x, y) = —dy = Yo)/F(x, y). 


Thus P cannot be a pole of a, since otherwise F,(P) = F,(P) = 0, which 
would say that P is a singular point. Now the map 


E-P! 
[x, y, 1] > Lx, 1] 


is of degree 2, so ordp(x — Xo) < 2; and ordp(x — x) = 2 if and only if the 
quadratic polynomial F(x, y) has a double root. In other words, either 
ordp(x — Xo) = 1, or else ordp(x — x9) = 2 and F,(x9, yo) = 0. Thus in both 
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cases (II.4.3) 
ordp(w) = ordp(x — Xo) — ordp(F,) — 1 = 0. 


Finally, we must check the point P = O. Let t be a uniformizer at O. Since 
ord,(x) = 2 and ordp(y) = 3, x =t-?f and y=t 3g for functions f and g 
satisfying f(O) 4 0, 00 and g(O) 4 0, 0. Now 


w = dx/F,(x, y) = ((—2t-3f + tf )/(2t- 3g + at? + a3))dt 
=((—2f + fY(2g + aytf + agt*))dt. 


(Here f’ = df/dt (cf. 11.4.3). In particular, (II.4.3b) tells us that f’ is regular at 
O.) Assuming that char(K) # 2, the function (—2f + ¢f’)/(2g + a,tf + at) 
is regular and non-vanishing at O; and so 


ord,(w) = 0. 
If char(K) = 2, then the same result follows from a similar calculation (using 
@ = dy/F,(x, y)) which we will leave for the reader. O 


Next we look at what happens when a Weierstrass equation is singular. 


Proposition 1.6. If a curve E given by a Weierstrass equation is singular, then 
there exists a rational map ¢: E > P? of degree 1. (Ie. E is birational to P?. 
Note that since E is singular, we cannot use (II.2.4.1) to conclude that E =~ P'.) 


Proor. Making a linear change of variables, we may assume that the singular 
point is (x, y) = (0, 0). Then checking partial derivatives, we see that the 
Weierstrass equation will have the form 


E:y? + a,xy =x? + a,x’. 
Hence the rational map 
E>P! (x y>[x y] 
has degree 1, with inverse 
P!>E [i,t] >(t? + a,t — ay, t? + a,t? — ayt). 


[I.e. Use t = y/x to map to P', and note that dividing the equation for E by 
x? yields t? + a,t = x + a), 80 x and y = xt are both in K(t).] g 
Legendre Form 


There is another form of Weierstrass equation which is sometimes conve- 
nient. 


Definition. A Weierstrass equation is in Legendre form if it can be written as 


y? = x(x — 1)(x — A). 
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Proposition 1.7, Assume char(K) # 2. 
(a) Every elliptic curve E/K is isomorphic (over K) to an elliptic curve in 
Legendre form 

E,:y? = x(x — 1)(x — A) 


for some 4€K, 4 #0, 1. 
(b) The j-invariant of E, is 


yo? — A+ 1) 


J(E,) = “Ba he 
(c) The association 
K—{0,1}+K 
A j(E,) 


is surjective and exactly six-to-one except above j = 0 and j = 1728, where it is 
two-to-one and three-to-one respectively. 


ProoF. (a) Since char(K) 4 2, we know that E has a Weierstrass equation of 
the form 
y? = 4x3 + b,x? + 2b,x + be. 


Replacing (x, y) by (4x, 8y) and factoring the cubic yields an equation 
y? = (x — e,)(x — e2)(x — 3), 
where e,, e,, ¢, ¢ K. Further, since 
A = 16(e; — e2)(e, — e3)"(e2 — e3)” # 0, 
the e,’s are seen to be distinct. Now the substitution 
x = (e, — e;)x' + ey y =(e, —e)°”y’ 


gives an equation in Legendre form with 


eg — ey 


(b) Calculation. 

(c) One can work directly from the formula for j(E,) in (b), an approach that 
we leave for the reader. Instead we use the fact that the j-invariant classifies 
an elliptic curve up to isomorphism (1.4b). Thus suppose j(E,) = j(E,). Then 
E, = E,, so their Weierstrass equations (in Legendre form) are related by a 
change of variables 


x=wx' +r y=ury’, 
Equating 


x(x — 1)(x — pw) = («+5)(s + St(-+ 54), 
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there are six ways of assigning the linear terms to one another, and one easily 
checks that these lead to six possibilities 


wefigl aa 1 A “7 


eae aio gay at 


Hence 4 > j(E,) is exactly six-to-one unless two or more of these values for yu 


coincide. Equating them by pairs shows that this only occurs for A = —1 and 
A? —4+1=0, for which the set has respectively three and two elements; 
these values of A correspond respectively to j = 1728 and j = 0. oO 
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Let E be an elliptic curve given by a Weierstrass equation. Remember that 
E < P’ consists of the points P = (x, y) satisfying the equation together with 
the point O = [0, 1,0] at infinity. Let L. <P? be a line. Then since the 
equation has degree three, L intersects E at exactly 3 points, say P, Q, R. (Note 
if L is tangent to E, then P, Q, R may not be distinct. The fact that LO E, 
taken with multiplicities, consists of three points, is a special case of Bezout’s 
theorem [Har, I.7.8]. But since we will give explicit formulas below, there is 
no need to use a general theorem.) 
Define a composition law @ on E by the following rule. 


Composition Law 2.1. Let P, Qe E, L the line connecting P and Q (tangent line 
to E if P = Q), and R the third point of intersection of L with E. Let L’ be the 
line connecting R and O. Then P @ Q is the point such that L' intersects E at 
R, O, and P@ Q. 


The following diagrams illustrates this rule (Figure 3.3). 
We now justify the use of the symbol @. 


Proposition 2.2. The composition law (2.1) has the following properties: 
(a) Ifa line Lintersects E at the (not necessarily distinct) points P,Q, R, then 


(P@QOR=O. 


(b) P®O=P for all PEE. 
(c) P®Q=QOP forall P,QeE. 
(d) Let PEE. There is a point of E, denoted ©P, so that 


P@(OP)=0. 
(e) Let P,Q, REE. Then 
(POOGR=POOQOR). 


In other words, the composition law (2.1) makes E into an abelian group with 
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=0 


P@®Q@R 


Figure 3.3 
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identity element O. We further have: 
(f) Suppose E is defined over K. Then 


E(K) = {(x, ye K*: y? + a,xy + a3y = x? + a,x? + ayx + ag} U {O} 
is a subgroup of E. 


Proor. All of this is easy except for the associativity (e). 

(a) Obvious from (2.1). (Or look at Figure 3.3. Note that the tangent line to 
E at O intersects E with multiplicity 3 at O.) 

(b) Taking Q = O in (2.1), we see that the lines L and L’ coincide. The former 
intersects E at P, O, R, and the latter at R,O, PP ® O,so P@O =P. 

(c) Clear, since the construction in (2.1) is symmetric in P and Q. 

(d) Let the line through P and O also intersect E at R. Then using (a) and (b), 


O=(P@O)O@R=POR. 


(e) Using the explicit formulas given below (2.3), one can laboriously verify 
the associative law case by case. We leave this task for the reader. A more 
enlightening proof, using the Riemann—Roch theorem, will be given in the 
next section (3.4e). For a more geometric proof, see [Ful]. 

(f) If P and Q have coordinates in K, then the equation of the line connecting 
them has coefficients in K. If further E is defined over K, then the third point 
of intersection will have coordinates given by a rational combination of the 
coefficients of the line and of E, so will be in K. (See (2.3) below for explicit 
formulas.) a 


Notation. From here on, we will drop the special symbols @ and © and 
simply use + and — for the group operations on an elliptic curve E. For 
meZ and PeE, we let 


[m]P = P +---+ P (mterms) for m > 0, 
[O]P = 0, and [m]P =[—m](—P) form <0. 
As promised above, we now derive explicit formulas for the group opera- 
tions. Let E be an elliptic curve with the usual Weierstrass equation 
F(x, y) = y? + a,xy + a3y — x3 — a,x? — ayx — ag = 0, 


and let Py = (Xo, Yo) € E. Following the proof of (2.2d), to calculate — Py we 
take the line L through P, and O and find its third point of intersection with 
E. The line L is given by: 


L:x—X,) =0. 


Substituting this into the equation for E, we see that the quadratic poly- 
nomial F(x9, y) has roots yp and yg, where — Py = (Xo, yo). Writing out 


F (Xo; y) = C(y — Yo)(y — Yo) 
and comparing the coefficients of y? gives c= 1, and then the coeffi- 
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cients of y give yg = —Yo — 4,Xo — a3. This yields 
— Po = (Xo; — Yo — 41X09 — 3). 
Next we derive a formula for the addition law. Let P, =(x,, y,) and 
P, = (X2, yz) be points of E. If x, = x, and y, + yz + a,x, + a; = 0, then 


from the above formula P, + P, = O. Otherwise the line L through P, and P, 
(tangent line to E if P, = P,) has an equation of the form 


L:y=Ax +. 


(Formulas for A and v are given below.) Substituting into the equation for E, 
we see that F(x, Ax + v) has roots x,, x2, x3, where P; = (x3, y;) is the third 
point of Lo E. From (2.2a), 


P, + P, +P, =0; 
while writing out 
F(x, Ax + v) = c(x — x,)(x — x2)(x — x3) 
and equating coefficients of x? and x? yields c = —1 and 
Xp $X2+X3 =A? + a,4—ay. 


This gives the formula for x,, and substituting into the equation for L gives 
y3 = Ax, + v. Finally, to find P, + P, = —P3, we apply the negation formula 
found above to P;. All of this is summarized in the following. 


Group Law Algorithm 2.3. Let E be an elliptic curve given by a Weierstrass 
equation 
E:y? + a,xy + ayy = x? + a,x? + agx + dg. 
(a) Let Py = (X9, Yo)€ E. Then 
— Py = (Xo, —Yo — 44X0 — 43). 
Now let 
P,+P,=P; with P, =(x;, y)eE. 
(b) Ifx, =x, and y, + yz + a,x, + a3 = 0, then 
P, + P, = O. 


Otherwise, let 


1 y2—)1 pied ee asi 


’ 
X2—X4 X2— 4 


if x, FX; 


_ 3x + 2a,x1 +44 — ayy 
2y; + a,x, + a3 


A 


* 


3 
—x}7 + a,x, + 2a,—a 
ers 1 4X1 6 3V1 if x, = Xp. 
2y,; + a,x, +a; 


(Then y = Ax + vis the line through P, and P,, or tangent to E if P, = P,.) 
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(c) P,; = P, + P, is given by 
x3=M+a,4—a,-—X,—X2, 
y3 = —A+a,)x3 —v — a3. 


(d) As special cases of (c), we have for P; # + Po, 


Seeeit 2 aeant 
y2 2) +a, (2 y Jara =a 
X2z— Xy X2— %X}4 


and the duplication formula for P = (x, y)eE, 


x* — b,x? — 2bex — bg 
4x3 + b,x? + 2byx + be’ 


x(P, + P)) = ( 


x([2]P) = 
where b5, by, bg, bg are the polynomials in the a;’s given in section 1. 


Corollary 2.3.1. With notation as in (2.3), we say that a function f €K(E) = 
K(x, y) is even if f(P) = f(—P) for all Pe E. Then 


fis even ifand only if fe K(x). 
Proor. From (2.3), if P = (Xo, Yo), then —P = (Xo, —Yo — 41Xo — 43). It is 


thus clear that every element of K(x) is even. Suppose now that f e K(x, y) is 
even. Using the Weierstrass equation for E, we can write f as 


f(x y)=9(x) +h(x)y _ for some g, he K(x). 
Then 
g(x) + h(x)y = f(x, y) = fx, —y — a,x — as) 
= g(x) — (y + a,x + a3)h(x). 
Thus 
(2y + a,x + a3)h(x) = 0. 


Since this holds for all (x, y)¢ E, it follows that either h = 0, or else 2 = a, = 
a; = 0. But the latter implies that the discriminant A = 0, contradicting our 
assumption that the Weierstrass equation is non-singular (1.4a). Therefore 
h=0, so f(x, y) = g(x)e K(x). O 


Example 2.4. Let E/Q be the elliptic curve 
E:y? =x? + 17. 
A brief inspection reveals some points with integer coordinates 
P, =(—2,3) P,=(-1,4) P;=(2,5) Py=(4,9) Ps =(8, 23), 
and a short computer search gives some others 


Py = (43, 282) P, = (52, 375) P, = (5234, 378661). 
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Using the above formulas, one easily verifies relations such as 
P; = [2]P,, P, = P, — P3, [3] P, — P; = P>. 


Of course, there are lots of rational points, too, for example 


137-2651 8 109 
ee (a -=D) Rape (-5: 7) 
Now it is true (but not easy to prove) that every rational point Pe E(Q) can 
be written in the form 


P=[m]P,+[n]P; with m,neZ; 


and with this identification the group E(Q) is isomorphic to Z x Z. Further, 
there are only 16 integral points P = (x, y)EE (ie. with x, yeZ), namely 
{+P,,..., +P}. (See [Nag].) These facts illustrate two of the most funda- 
mental theorems in the arithmetic of elliptic curves, namely that the group of 
rational points on an elliptic curve is finitely generated (the Mordell—Weil 
theorem, proven in chapter VIII) and that the set of integral points on an 
elliptic curve is finite (Siegel’s theorem, proven in chapter IX). 


Now suppose that a Weierstrass equation has discriminant A = 0, so from 
(1.4a) it has a singular point. To what extent does the analysis of the composi- 
tion law fail in this case? As we will see below, everything is fine provided 
we discard the singular point; and in fact the resulting group then has a 
particularly simple structure. 

The reason we will be interested in this situation is best illustrated by an 
example. Consider again the elliptic curve of (2.4), 


Bey Sx? 217. 


This is an elliptic curve, defined over Q, with discriminant A = 243717. 
But we will also be interested in reducing the coefficients of this equation 
modulo p for various primes p, and considering it as a curve defined over the 
finite field F,. For almost all primes, namely those with A # 0 (mod p), the 
“reduced” curve will still be non-singular, and so we will have an elliptic 
curve. But for pe {2, 3, 17}, the “reduced” curve will have a singular point. 
Thus even when dealing with non-singular curves (for example, defined over 
Q), one finds singular curves naturally appearing. We will return to this 
reduction process in more detail in chapter VII. 


Definition. Let E be a (possibly singular) curve given by a Weierstrass equa- 
tion. The non-singular part of E, denoted E,,,, is the set of non-singular points 
of E. Similarly, if E is defined over K, then E,,(K) is the set of non-singular 
points of E(K). 

Recall that if E is singular, then there are two possibilities for the singu- 
larity, namely a node or a cusp (determined by whether c, = 0 or c, # 0, see 
(1.4a)). 
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Proposition 2.5. Let E be a curve given by a Weierstrass equation with discrimi- 
nant A = 0, so E has a singular point S. Then the composition law (2.1) makes 
E, into an abelian group. 

(a) Suppose E has a node (so c, # 0), and let 


y=a,x+ fp, and y=a,x+B, 
be the two distinct tangent lines to E at S. Then the map 
Ens rae K* 


(x Py i a a 
: Y— Ox — py 


is an isomorphism (of abelian groups). 
(b) Suppose E has a cusp (so c4 = 0), and let 


y=ax+ 8 
be the tangent line to E at S. Then the map 
E.. — Kt 


x — x(S) 
(x, y)> y—ax—p 


is an isomorphism. 


Remark 2.6. For a description of E,,,(K) in case K is not algebraically closed, 
see (exer. 3.5). 


Proor. We will check that the maps in (a) and (b) are set bijections with the 
property that if a line L not hitting S intersects E,,, in three (not necessarily 
distinct) points, then the images of these three points in K* (respectively K*) 
will multiply to 1 (respectively sum to 0). Using this, one easily verifies that 
the composition law (2.1) makes E,, into abelian group and that the maps in 
(a) and (b) are group isomorphisms. 

Since the composition law (2.1) and the maps in (a) and (b) are defined in 
terms of lines in P?, it suffices to prove the theorem after making a linear 
change of variables. We start by moving the singular point to (0, 0), yielding a 
Weierstrass equation 


y? + ayxy = x3 + ayx?. 


Let seK be a root of s? + a,s — a, = 0. Then replacing y by y + sx eliminates 
the x? term, giving the equation (which we now write using homogeneous 
coordinates) 


E:Y°Z+ AXYZ— X°=0. 
Note that E has a node (respectively cusp) if A 4 0 (respectively A = 0). 
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(a) The tangent lines to E at S = [0, 0, 1] are Y = 0 and Y + AX =0, so we 
are looking at the map 


= AX 
E,s > K* [X, ¥,Z]>1+—-. 
It is convenient to make one more variable change, so let 
X = A*X'— A’Y’ Y= A’yY’ Z=Z’. 
Dropping the primes, this gives the equation 
E: XYZ —(X — Y)> =0; 


and if we now dehomogenize by setting Y = 1 (ie. x = X/Y and z = Z/Y), 
this gives 
E:xz—(x — 1}? =0 


with the map 
E,s > K* (x, z) > x. 


(Notice the singular point is now out at infinity.) The inverse map is clearly 
given by 

K* 4 E,xs t (t, (t = 1)°/t), 
so we have a bijection of sets. It remains to show that if a line (not hitting 
[0, 0, 1]) intersects E at (x1, 21), (x2, 22), (x3, 23), then x, xx, = 1. (See Figure 
3.4.) But such a line has the form z = ax + b, and so the three x-coordinates 
X4, Xz, X3 are the roots of the cubic polynomial 


x(ax + b) — (x — 13 =0. 


Looking at the constant term, we see that x,x,x3 = 1, as desired. 


xz - (x-1)3 = 0 


Figure 3.4 
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(b) In this case A = 0, and the tangent line to E at S = [0, 0, 1] is Y = 0, so 
we are looking at the map 
E,,>K*  [X, Y,Z] > X/Y. 
Again dehomogenizing by setting Y = 1, we obtain 
E:z—-x?=0 
E,; > K* (x, z) > x. 


The inverse map is clearly t¢ > (t, t°). Finally, if the line z = ax + b intersects 
E in the three points (x;, y,), 1 < i < 3, then from the lack of an x? term in 


(ax + b)— x? =0, 


we see that x; + x,+x3,=0. oO 


§3. Elliptic Curves 


Let E be a smooth curve of genus 1. For example, the non-singular Weier- 
strass equations studied in sections 1 and 2 will define curves with this prop- 
erty. As we have seen, such Weierstrass curves have a group law associated 
to them. Now in order to make a set into a group, clearly an initial require- 
ment is to choose a distinguished (identity) element. This leads us to make the 
following definition. 


Definition. An elliptic curve is a pair (E, O), where E is a curve of genus 1 and 
OcE. (We often just write E for the elliptic curve, the point O being under- 
stood.) The elliptic curve E is defined over K, written E/K, if E is defined over 
K asacurve and Oe E(K). 

In order to connect this definition with the material of sections 1 and 2, we 
begin by using the Riemann—Roch theorem to show that every elliptic curve 
can be written as a plane cubic; and conversely, every smooth Weierstrass 
plane cubic curve is an elliptic curve. 


Proposition 3.1. Let E be an elliptic curve defined over K. 
(a) There exist functions x, y¢ K(E) such that the map 
¢:E>P? 
d=Lx%y, 1] 
gives an isomorphism of E/K onto a curve given by a Weierstrass equation 
C:¥*7+a,X¥ +a,Y = X%+a,X? +a,X +4, 


with coefficients a,, ..., 4g €K; and such that ¢(O) = [0, 1, 0]. (We call x, y 
Weierstrass coordinate functions on E.) 
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(b) Any two Weierstrass equations for E as in (a) are related by a linear change 
of variables of the form 


X=wx'4+r 
Y=uY' + su?X' +t 


with u, r,s, te K,u 4 0. 
(c) Conversely, every smooth cubic curve C given by a Weierstrass equation as 
in (a) is an elliptic curve defined over K with origin O = [0, 1, 0]. 


Proor. (a) We look at the vector spaces #(n(O)) for n = 1, 2, .... By the 
Riemann—Roch theorem (specifically (II.5.5c) with g = 1), 


¢(n(O)) = dim Y(n(O)) =n for alln > 1. 


Thus we can choose functions x, y€ K(E) (II.5.8) so that {1, x} is a basis for 
£(2(0)) and {1, x, y} is a basis for #(3(O)). Note that x must have a pole of 
exact order 2 at O, and similarly y must have a pole of exact order 3. 

Now £(6(0)) has dimension 6, but it contains the seven functions 1, x, y, 
x?, xy, y?, x3. It follows that there is a linear relation 


A, + A,x + Agy + Agx? + Asxy + Agy? + A,x? = 0, 


where by (II.5.8) we may take A,, ..., A7eK. Note that A,A, #0, since 
otherwise every term would have a different order pole at O, and so all the 
A; would vanish. Replacing x, y by — A, A,x, Ag A?y and dividing by A3A+ 
gives a cubic equation in Weierstrass form. This gives the desired map 


¢:E>P? g=([%y, 1] 


whose image lies in the locus C described by a Weierstrass equation. Note 
that ¢: EC is a morphism (II.2.1) and surjective (II.2.3). Note also that 
¢(O) = [0, 1, 0], since y has a higher order pole than x at O. 

The next step is to show that the map ¢:E-—C c P? has degree 1, or 
equivalently, that K(E) = K(x, y). Consider the map [x, 1]: E> P'. Since x 
has a double pole at O and no other poles, (II.2.6a) says that this map has 
degree 2. Thus [K(E): K(x)] = 2. Similarly, [y, 1]: E> P+ has degree 3, so 
[K(E): K(y)] = 3. Therefore [K(E): K(x, y)] = 1, since it divides both 2 and 
3,80 K(E) = K(x, y). 

Next we show that C is smooth. Suppose C is singular. Then from (1.4d) 
there is a rational map y:C—P"' of degree 1. Hence the composition 
wog:E-P* is a map of degree 1 between smooth curves, so from (II.2.4.1) 
it is an isomorphism. This contradicts the fact that E has genus 1 and P! has 
genus 0 (II.5.6). Therefore C is smooth, and now another application of 
(II.2.4.1) shows that the degree 1 map ¢: E > C is an isomorphism. 

(b) Let {x, y} and {x’, y’} be two sets of Weierstrass coordinate functions on 
E. Then x and x’ have poles of order 2 at O, and y and y’ have poles of order 
3. Hence {1, x} and {1, x’} are both bases for #(2(0)), and similarly {1, x, y} 
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and {1, x’, y’} are both bases for #(3(O)). It follows that there are constants 
U,,Uz,1, S2,tEK with u,u, 4 0 such that 


X=u,x'’+r yHugy +8,x' +t. 


But (x, y) and (x’, y’) both satisfy Weierstrass equations in which the Y* and 
X? terms have coefficient 1, so u3 = u3. Letting u = u,/u, and s = s,/u? puts 
the change of variable formula in the desired form. 

(c) Let E be given by a non-singular Weierstrass equation. We have seen (1.5) 
that the differential 


@ = dx/(2y + a,x + az)EQz 


has neither zeros nor poles, so div(w) = 0. But from the Riemann—Roch 
theorem (specifically II.5.5b), 


2 genus(E) — 2 = deg div(a). 


Hence E has genus 1, so together with the point [0, 1,0], it is an elliptic 
curve. (For another proof of (c) using the Hurwitz genus formula, see exer. 


2.7) Oo 


Corollary 3.1.1. Let E/K be an elliptic curve with Weierstrass coordinate 
functions x, y. Then 


K(E) = K(x, y) and [K(E): K(x)] = 2. 
Proor. This was proven during the course of proving (3.1a). O 


Remark 3.2. Note that (3.1b) does not imply that if two Weierstrass equations 
have coefficients in a given field K, then every change of variables mapping 
one to the other has coefficients in K. A simple example is the equation 


2x3 4x, 
which has coefficients in Q. Yet it is mapped to itself by the substitution 
x= —x’ y=iy’, 
where i? = —1. 
Next we use the Riemann—Roch theorem to describe a group law on the 
points of E. Of course, this will turn out to be the same group law already 
described by (2.1) when E is given by a Weierstrass equation. We start with a 


simple lemma, which serves to distinguish P* from curves of genus 1. (For a 
generalization, see exer. 2.5.) 


Lemma 3.3. Let C be a curve of genus 1, and let P, QEC. Then 
(P)~(Q) if andonlyif P=Q. 
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Proor. Suppose (P) ~ (Q), and choose f € K(C) so that 
div(f) = (P) — (Q). 

Then f ¢ #((Q)), and by the Riemann—Roch theorem (II.5.5c), 

dim ¥((Q)) = 1. 
But Y((Q)) already contains the constant functions, hence feK and 
P=@Q. oO 
Proposition 3.4. Let (E, O) be an elliptic curve. 
(a) For every divisor D € Div®(E) there exists a unique point Pe E so that 

D ~ (P) — (0). 

Let 

a: Div(E) > E 


be the map given by this association. 
(b) The map o is surjective. 
(c) Let D,, D,€ Div®(E). Then 


o(D,) = o(D,) if and only if D, ~ D3. 
Thus o induces a bijection of sets (which we also denote by c) 
a: Pic(E) 5 E. 
(d) The inverse to o is the map 
Kk: E 5 Pic(E) 
P > class of (P) — (O). 


(e) If E is given by a Weierstrass equation, then the “geometric group law” on 
E arising from (2.1) and the group law induced from Pic®(E) by using o are the 
same. 


Proor. (a) Since E has genus 1, the Riemann—Roch theorem (II.5.5c) says 
that 


dim Y(D +(0)) = 1. 
Let f € K(E) be a generator for Y(D + (O)). Since 
div(f) > —D—(O) and deg(div(f)) = 0, 
it follows that 
div(f) = —D — (O) + (P) 
for some Pe E. Hence 
D ~ (P) — (0), 


which gives the existence of a point with the desired property. 
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Next suppose P’€ E has the same property. Then 

(P) ~ D + (0) ~ (P’), 
so P = P’ from (3.3). Hence P is unique. 
(b) For any PeE, 

a((P) — (O)) = P. 

(c) Let D,, D, € Div°(E), and set P, = o(D,). Then from the definition of a, 

(P,) — (P:) ~ D, — Dj. 
Hence P,; = P, certainly implies D, ~ D,. Conversely, if D, ~ D,, then 
(P,) ~ (P,), so P, == P, from (3.3). 
(d) Clear. 
(e) Let E be given by a Weierstrass equation, and let P, QeE. It clearly 
suffices to show that 

K(P + Q) = k(P) + K(Q). 


[N.B. The first + is addition on E using (2.1), while the second is addition of 
divisor classes in Pic®(E).] 
Let 


S(X, Y, Z)=aX + BY +yZ =0 
give the line L in P? going throught P and Q, let R be the third point of 
intersection of L with E, and let 
S'(X, Y, Z) =X + PY +yZ=0 


be the line L’ through R and O. Then from the definition of addition on E 
(2.1) and the fact that the line Z = 0 intersects E at O with multiplicity 3, we 
have 


div(f/Z) = (P) + (Q) + (R) — 3(0) 


and 
div( f’/Z) = (R) + (P + Q) — 2(0). 
Hence 
(P + Q) — (P) — (Q) + (0) = div(f'/f) ~ 9, 
so 


K(P + Q) — x(P) — «(Q) = 0. a 


Corollary 3.5. Let E be an elliptic curve and D = Xnp(P)e Div(E). Then D is 
principal if and only if Xnp = 0 and X[np]P = O. (Note the first sum is of 
integers, the second is addition on E.) 


Proor. From (II.3.1b), every principal divisor has degree 0. Assuming now 
De Div°(E), (3.4a, e) implies 
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D ~ 0<>0(D) = 0) [np]a((P) — (0)) = 9, 
which is the desired result since o((P) — (O)) = P. Oo 


Remark 3.5.1. If we combine (3.4) with (11.3.4), we see that every elliptic curve 
E/K fits into an exact sequence 


1 > K* + K(E)* 5 Div(E) 5 E30, 


where o is the operation “sum up the divisor using the group law on E”. 
Further, (exer. 2.13b) implies that the sequence remains exact if we take 
Gg)x-invariants: 


1 > K* + K(E)* 5 Div9(E) 5 E(K) > 0. 
(See also (X.3.8).) 


We now prove the fundamental fact that the addition law on an elliptic 
curve is a morphism. Since addition is a map E x EE, and E x E has 
dimension 2, we cannot use (II.2.1) directly; but it will play a crucial role in 
our proof. One can also give a proof using explicit equations, but the algebra 
is somewhat lengthy (see (3.6.1) below). 


Theorem 3.6. Let E/K be an elliptic curve. Then the equations (2.3) giving the 
group law on E define morphisms 


+:ExE>E and —:E-E 
(P,, P;) > P, + P, P- —P. 
ProoF. First, the subtraction map 


(x, y) > (x, —y — a,x — a3) 


is clearly a rational map E > E. Since E is smooth, it is a morphism (II.2.1). 
Next we fix a point Q 4 O on E, and consider the “translation-by-Q” map 


ti: EOE (P)=P+Q. 


From the addition formula given in (2.3c), this is clearly a rational map; and 
so, again by (II.2.1), it is a morphism. In fact, since it has an inverse, namely 
P-— P — Q, it is isomorphism. 

Finally, we consider the general addition map + : E x E > E. From (2.3c) 
we see that it is a morphism except possibly at points of the form (P, P), 
(P, —P), (P, O), and (O, P), since for points not of this form, the rational 
functions 


A=(Y2 — iMX2— X14) and v= (y,xX2 — y2X4)(x2 — x4) 


on E x E are well-defined. 
To deal with the four exceptional cases, one can work directly with the 
definition of morphism. (See (3.6.1) below.) However, we prefer to let the 
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group law assist us. Thus let t, and t, be translation maps, as defined above, 
for points Q, and Q, respectively. Consider the composition of maps 


(bebo EVE SESE OE 


Since the group law on E is associative and commutative (2.2), the net effect 
of these maps is as follows: 


(P,, P2) > (P; + Q1,P2 + Q2) 7 P, +9,+P2+Q, 
>P,+P,;+Q,—>P, + Py. 


Thus the rational map ¢ agrees with the addition map wherever they are 
both defined. 

Further, since the 7;’s are isomorphisms, it follows from the discussion 
above that ¢ is a morphism except possibly at points of the form 


(P—Q:,P—Q,) (P—Qi1,-P—Q,) (P—Q1,—Q2) (—Q1,P — Q)). 


But Q, and Q, may be chosen essentially arbitrarily. Hence by varying Q, 
and Q,, we can find a finite set of rational maps 


1, 92,---5by: EX EOE 
such that 


(i) ¢, is the addition map given in (2.3c). 
(ii) For each (P,, P,)e E x E, some ¢; is defined at (P,, P,). 
(iii) If 6, and ¢; are both defined at (P,, P,), then ¢,(P,, P,) = $(P,, Po). 


It follows that addition is defined on all of E x E, so it is a morphism. oO 


Remark 3.6.1. During the course of proving (3.6), we noted that the formulas 
in (2.3c) make it clear that the addition map +:E x E—E is a morphism 
except possibly at points of the form (P, +P), (P, O), (O, P). Rather than 
using translation maps to circumvent this difficulty, one can work directly 
from the definition of morphism using explicit equations. It turns out that 
this involves consideration of quite a number of cases; we will do one to 
illustrate the method. 

Thus let (x,, y13 X2, ¥2) be Weierstrass coordinates on E x E. We will 
show explicitly that addition is defined at points of the form (P, P) with 
P+#O and [2]P 40. Note that addition is defined in general by the 
formulas given in (2.3c): 


A= (V2 — yi)/(X2 — 1) V = (YiX2 — Y2X1)(X2 — X1) = yi — AX, 
x3 =A? + a,A—a,—xX,—X, 3 = —(A + a4)x3 —V — ag. 


Here 4, v, x3, y3 are functions on E x E, and addition is given by the map 
[x3, 3,1]: E x EE. Thus to show that addition is defined at (P, P), it 
suffices to show that / is defined there. But by assumption, both pairs of 
functions (x,, y,) and (x, y) satisfy the same Weierstrass equation. Sub- 
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tracting one equation from the other and factoring yields 
(V1 — Ya)(Vi + Y2 + 1%1 + 43) 
= (x, — X2)(x? + xy xX2 + x3 + A,X, + AX2 + 4 — Ay yp). 
Hence / may also be written as 


= Xf + X1X2 + x3 + a(x, + X) + Ag — ayy2 
Vit Yo + a,x, + a3 


A 


Therefore, if P = (x, y), then 


3x? + 2a,Xx + d4— ayy. 


P, P) = 
ME) 2y+a,x+a,; 


and so / is defined at (P, P) (unless 2y + a,x + a3, = 0, which is excluded by 
our assumption that [2]P # O). The reader may deal similarly with the other 
cases. 


§4. Isogenies 


Having now examined in some detail the geometry of individual elliptic 
curves, we turn to the study of the maps between them. Since an elliptic curve 
has a distinguished zero point, it is natural to single out those maps which 
respect this property. 


Definition. Let E, and E, be elliptic curves. An isogeny between E, and E, is 
a morphism 


¢:E, > E, 
satisfying ¢(O) = O. E, and E, are isogenous if there is an isogeny ¢ between 
them with ¢(E,) 4 {O}. 

Notice that from (II.2.3), an isogeny ¢ satisfies either ¢(E,) = {O} or 
@(E,) = E,. Thus except for the zero isogeny, defined by [0](P) = O for 
all Pe E,, every other isogeny is a finite map of curves. Hence we obtain the 
usual injection of function fields (II §2) 


g* : K(E,) > K(E,); 
and the degree of ¢ (deg ¢), separable and inseparable degrees of ¢ (deg,¢ and 
deg;¢), and whether ¢ is separable, inseparable, or purely inseparable are de- 


fined by the corresponding property for the finite extension K(E,)/¢*K(E)). 
By convention, we set 


deg[0] = 0. 


Since elliptic curves are groups, the maps between them form groups. 
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Thus let 
Hom(E,, E,) = {isogenies ¢: E, > E,}. 
Then (3.6) implies that Hom(E,, E,) is a group under the addition law 
(¢ + W)(P) = o(P) + Y(P). 


If E, = E,, then we can also compose isogenies. Thus if E is an elliptic curve, 
we let 


End(E) = Hom(E, E) 
be the ring with addition as above and multiplication given by composition, 


(o)(P) = oY (P)). 


(The fact that the distributive law holds follows from (4.8) proven below.) 
End(E) is called the endomorphism ring of E. The invertible elements of 
End(E) form the automorphism group. of E, which is denoted Aut(E). The 
endomorphism ring of an elliptic curve is an important invariant which we 
will study in some detail throughout the rest of this chapter. 

Of course, if E,, E,, E are defined over a field K, then we can restrict 
attention to those isogenies defined over K. The corresponding groups of 
isogenies are denoted with the usual subscripts, thus 


Hom,(E,, F,), End,(E), Aut,(E). 


Example 4.1. For each me Z we can define an isogeny multiplication by m 
[m]:E>E 
in the natural way. If m > 0 then 
[m](P) = P+ P +---+ P (m terms); 


ifm < 0 then [m](P) = [—m](—P); and we have already defined [0](P) = O. 
That [m] is an isogeny follows easily by induction using (3.6). Notice that if 
E is defined over K, then [m] is defined over K. We start our analysis of the 
group of isogenies by showing that the multiplication by m map is non- 
constant (provided, of course, that m # 0). 


Proposition 4.2. (a) Let E/K be an elliptic curve and let me Z, m # 0. Then the 
multiplication by m map 


[m]:E>E 


is non-constant. 
(b) Let E, and E, be elliptic curves. Then the group of isogenies 


Hom(E,, E,) 


is a torsion-free Z-module. 
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(c) Let E be an elliptic curve. Then the endomorphism ring End(E) is an 
integral domain of characteristic 0. 


ProoF. (a) We start by showing that [2] 4 [0]. From the duplication formula 
(2.3d), if a point P = (x, y)€ E has order 2, then it must satisfy 


4x3 + b,x? + 2b4x + be = 0. 


If char(K) # 2, this shows immediately that there are only finitely many 
such points; and even for char(K) = 2, the only way to have [2] = [0] is 
for this polynomial to be identically 0, which means b, = b, = 0, which in 
turn implies A = 0. Hence in all cases [2] 4 [0]. Now, using the fact that 
[mn] = [m] o [n], we are reduced to considering the case of odd m. 

Assume now that char(K) # 2. Then using long division, one easily verifies 
that the polynomial 


4x3 + b,x? + 2b,x + be 
does not divide 
x4 = b,x? iad 2b¢x aa bg. 


(Le. If it does, then one finds that A = 0. In fact, these two polynomials are 
relatively prime (exer. 3.1).) Hence we can find an x9¢K so that the former 
vanishes to a higher order at x = x, than the latter. Choosing y)¢K so that 
Py = (Xo; Yo) € E, the doubling formula then implies that [2]P) = O. In other 
words, we have shown that E has a non-trivial point of order 2. But then for 
m odd, 
[m] Py = Py) #0, 

so clearly [m] # [0]. 

Finally, if char(K) = 2, one can proceed as above using the “triplication 
formula” (exer. 3.2) to produce a point of order 3. We will leave this for the 
reader, since later in this chapter (5.4) we will prove a result which includes 
the case of char(K) = 2 and m odd. 

(b) This follows immediately from (a). Suppose ¢¢Hom(E,, E,) and meZ 
satisfy 


[m]o¢ = [0]. 
Taking degrees gives 
(deg[m])(deg ¢) = 0; 


so either m = 0; or else (a) implies that deg[m] > 1, in which case we must 
have ¢ = [0]. 

(c) From (b), End(£) has characteristic 0. Further, if ¢, wy ¢End(E) satisfy 
dow = [0], then 


deg ¢ deg wy = deg dow =0. 
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It follows that either ¢ = [0] or w = [0]. Therefore End(E) is an integral 
domain. O 


For an arbitrary elliptic curve, the only isogenies which are immediately 
evident are the multiplication-by-m maps. As a consequence, these maps will 
provide one of the most powerful tools at our disposal for studying elliptic 
curves. 


Definition. Let E be an elliptic curve and meZ, m £0. The m-torsion sub- 
group of E, denoted E[m], is the set of points of order m in E, 


E[m] = {PeE:[m]P = 0}. 


The torsion subgroup of E, denoted E,,,,, is the set of points of finite order, 
foo} 
Exvors = U E[m]. 
m=1 


If E is defined over K, then E,,,,(K) will denote the points of finite order in 
E(K). 


The most important fact about the multiplication-by-m map is that it has 
degree m?, from which one can deduce the structure of the finite group E[m]. 
We will not prove this result here, since it will be an immediate corollary of 
our work with “dual isogenies” (cf. §6). However, the reader should be aware 
that there is a completely elementary (but rather messy) proof of this fact using 
explicit formulas and induction. (See exer. 3.7. For some other approaches, 
see exers. 3.8, 3.9.) 


Remark 4.3. Suppose that char(K) = 0. Then the map 
[ ]:Z—-End(E) 


is usually the whole story (i.e. End(E) = Z). If End(E) is strictly larger than 
Z, then we say that E has complex multiplication. The elliptic curves with 
complex multiplication have many special properties. (See appendix C §11 
for a brief discussion.) On the other hand, if K is a finite field, then End(E) is 
always larger than Z (see V §3). 


Example 4.4, Assume char(K) 4 2 and let E/K be the elliptic curve 
E:y?=x3—x., 


Then, in addition to Z, End(E) contains an element which we denote [i], 
given by 


[i]: (x, y) > (—x, iy). 
(Here ie K is a primitive fourth root of unity.) Thus E has complex multi- 
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plication. Clearly [i] is defined over K if and only if ie K. Hence even if E is 
defined over K, End,(E) may be strictly smaller than End(£). 

One immediately checks that [i] o [i] = [—1], so we have a ring homo- 
morphism 


Z[i] > End(E) 
m+ ni>[m] + [nJo[i]. 
If char(K) = 0, this is an isomorphism; and so for example 
Aut(E) = Z[i]* = {+1, +i} 


is a cyclic group of order 4. 


Example 4.5. Again assume char(K) # 2, and let a, be K with b #0 and 
r = a* — 4b # 0. Consider the two elliptic curves 


E,:y? =x? + ax” + bx 
E,: Y? = X? — 2aX? + rX. 


There are isogenies (of degree 2) 


¢:E, > E> $:E, > E, 
y? y(b — x?) Y? Y(r — X”) 
«n> (S05> (X, Y)> 4x2? 8x2 


By a direct computation one can check that go¢=[2] on E, and 
¢o¢=[2] on E,. This gives an example of dual isogenies, which we will 
discuss in section 6. 


Example 4.6. Suppose K is a field of characteristic p with p > 0, and let 
q = p’. If E/K is an elliptic curve given by a Weierstrass equation, recall 
(II §2) that the curve E®/K is defined by raising the coefficients of the 
equation for E to the q""-power; and the Frobenius morphism is given by 


$,: E> E® 


(x, y) > (x4, y4). 


Since E is the zero locus of a Weierstrass equation, it too will be an elliptic 
curve provided that the equation is non-singular. But writing everything out 
in terms of the Weierstrass coefficients and using the fact that the q'"-power 
map K — K is a homomorphism, one readily sees that 


A(E®) = A(E}! and j(E) = j(E)‘. 
In particular, the equation for E® is non-singular. 


Now suppose that K = F, is a finite field. Then the q"*-power map on K is 
the identity, so E® = E, and ¢, is an endomorphism of E, called the Frobenius 
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endomorphism. The set of points fixed by ¢, is exactly the finite group E(K), a 
fact which lies at the heart of Hasse’s proof for estimating # E(K). (See V §1.) 


Example 4.7. Let E/K be an elliptic curve and Qe E. Then we can define a 
translation by Q map 
Tg: E>E 
P>P+@Q. 


This is clearly an isomorphism, since t_g provides an inverse. Of course, it is 
not an isogeny unless Q = O. 


Now let 
F:E,->E, 
be any morphism of elliptic curves. Then the map 
$ = To) OF 
is an isogeny (since ¢(O) = O). We have thus shown that any map 
F =t@0¢ 


is the composition of an isogeny and a translation. 


An isogeny is a map between elliptic curves which sends O to O. Since an 
elliptic curve is a group, it might seem more natural to focus on those 
isogenies which are group homomorphisms. In fact, it turns out that every 
isogeny has this property. 

Theorem 4.8. Let 
¢:E, > E, 
be an isogeny. Then 
o(P + Q)= 9(P)+ ¢(Q) forall P,QeE,. 

ProoF. If ¢(P) = O for all Pe E,, there is nothing to prove. Otherwise, ¢ is a 
finite map, so by (II.3.7) it induces a homomorphism 

¢, : Pic®(E,) > Pic(E,) 
defined by 

¢, (class of )'n,(P,)) = class of )'n,(@P)). 

On the other hand, from (3.4) we have group isomorphisms 

K; 7 E; > Pic°(E;) 

P- class of (P) — (0). 


Then, since ¢(O) = O, we have the following commutative diagram: 
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E, — Pic%E,) 

¢ e 

E, =. Pic(E,). 
Since K,, K,, and ¢, are all group homomorphisms, and x, is injective, it 
follows that ¢ is also a homomorphism. oO 
Corollary 4.9. Let ¢: E, + E, be a non-zero isogeny. Then 

ker ¢ = ¢ *(0) 

is a finite subgroup. 


ProoF. It is a subgroup from (4.8) and finite (of order at most deg ¢) from 
(II.2.6a). 


The next three results (4.10, 4.11, 4.12) encompass the basic Galois theory 
of elliptic function fields. 


Theorem 4.10. Let ¢: E, + E, be a non-constant isogeny. 
(a) For every QEE,, 


#¢°*(Q) = deg, ¢. 
Further, for every Pe E,, 
eg(P) = deg;(¢). 


(b) The map = = 
ker ¢ > Aut[K(E,)/¢*K(E,)] 


* 
T>t 


is an isomorphism. (Here ty is the translation-by-T map (4.7), and tf is the 
automorphism it induces on K(E,).) 
(c) Assume that ¢ is separable. Then @ is unramified, 


#ker ¢ = deg ¢, 
and K(E,) is a Galois extension of $*K(E,). 


ProoF. (a) From (II.2.6.b) we know that 
#6 *(Q) = deg. 


for all but finitely many QeE,. But for any Q, Q’c E,, if we choose some 
Re E, with ¢(R) = Q’ — Q, then the fact that ¢ is a homomorphism implies 
that there is a one-to-one correspondence 
¢*(Q)>¢"*(Q'/) 
PoP+R. 
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Hence 
#¢ (Q)=deg,¢ forall QeE,, 
which proves the first assertion. 

Now let P, P’eE, with ¢(P) = ¢(P’)=Q, and let R= P’ — P. Then 
¢(R) = O, so OT = ¢. Therefore, using (II.2.6c) and the fact that tp is an 
isomorphism, 

eg(P) = egorg(P) = eg(te(P))e.,(P) = eg(P’). 


Hence every point of ¢-1(Q) has the same ramification index. We compute 


(deg, ¢) (deg; ¢) = deg ¢ = . ae eg(P) (II.2.6a) 
=(#¢"(Q))eg(P) for any Peg *(Q) 
= (deg, d)eg(P) from above. 


Cancelling deg, @ gives the second assertion. 
(b) First, if Teker ¢ and fe K(E,), then 


TH(O*f) = (G0 t7)*f = O*f, 


since $0 t; = ¢. Hence as an automorphism of K(E,), t# does fix ¢*K(E,), 
so the indicated map is well-defined. Next, since 


Ty OTp = Tsi7 = Tr OTs, 
the map is clearly a homomorphism. Finally, from (a) we have 
#ker @ = deg, d; 
while from basic Galois theory, 
# Aut(K (E,)/¢*K(E2)) < deg, ¢. 


Hence to prove that the map T - t# is an isomorphism, it suffices to show 
that it is injective. But if t* fixes K(E,), then in particular every function on 
E, takes the same value at T and O. This clearly implies that T = O. 

(c) If ¢ is separable, then from (a) we see that 


#6 '(Q)=deg¢ _ forall QE E,. 
Hence ¢ is unramified (II.2.7), and putting Q = O gives 
#ker ¢ = deg ¢. 
Then from (b) we find that 
# Aut(K(E,)/¢*K(E,)) = [K(E,): 6*K(E2)], 
so K(E,)/¢*K(E;) is a Galois extension. im 
Corollary 4.11. Let 
@:E,>E, and w:E,-£, 
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be non-constant isogenies, and assume that ¢ is separable. If 
ker ¢ < ker y, 
then there is a unique isogeny 
A: E, 7 E; 
such that pb = 104. 


ProorF. Since ¢ is separable, (4.10c) says that K(E,) is a Galois extension of 
¢*K(E,). Then the inclusion ker ¢ < ker and the identification given in 
(4.10b) implies that every element of Gal(K(E,)/¢*K(E,)) fixes w*K(E,). 
Hence by Galois theory, there are field inclusions 


w*K(Es) = $*K(E,) S K(E,). 

Now (II.2.4b) gives a map 

A: E, 7 E; 
satisfying 

$*(A*K(Es)) = *K(E3); 

and this in turn implies that 

Aog=w. 
Finally, 4 is an isogeny, since 

A(O) = A(G(O)) = W(O) = O. oO 

Proposition 4.12. Let E be an elliptic curve, and let ® be a finite subgroup of E. 
Then there is a unique elliptic curve E' and a separable isogeny 

o:ESE 
such that 

ker d=. 
Remark 4.13.1. The elliptic curve whose existence is asserted in this corollary 
is often denoted by the quotient E/®. This clearly indicates the group struc- 
ture, but there is no a priori reason why this group should correspond to 
the points on an elliptic curve. In fact, the quotient of any variety by a finite 


group of automorphisms is again a variety (cf. [Mum, §7]. The case of curves 
is done in (exer. 3.13).) 


Remark 4.13.2. Suppose that E is defined over K, and that ® is Gg,x-invariant. 
(Le. If Te®, then T’€® for all o € Gg)x.) Then it is actually possible to find 
an E’ and a ¢ which are defined over K. (See exer. 3.13.) 
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Proor. As in (4.10b), each point Te® gives rise to an automorphism tx of 
K(E). Let K(E)® be the subfield of K(E) fixed by every element of ®. Then 
Galois theory says that K(E) is a Galois extension of K(E)® with Galois 
group isomorphic to ®. 

Now K(E)? is a field of transcendence degree 1 over K, so from (I1.2.4c) 
there is a unique curve C/K and a finite morphism 


@:E>C 
such that 
o*K(C) = K(E)®. 


Next we show that ¢ is unramified. Let Pe E and Te®. Then for every 
function fe K(C), 


SGP + T)) = (tFO G*)S)(P) = O*F)(P) = FG(P)), 


where the middle equality uses the fact that t# fixes every element of ¢*K(C). 
It follows that ¢(P + T) = ¢(P). Now let QEC, and choose any PeE with 
¢(P) = Q. Then 


¢(Q) > {P+ T: Te}. 
But 
#6 '(Q) <deg¢= #9, 


with equality holding if and only if ¢ is unramified at Q (II.2.7). Since the 
points P + T are distinct as T ranges over the elements of ®, we conclude 
that ¢ is unramified at Q; and since Q was arbitrary, ¢ is unramified. 

Now apply the Hurwitz genus formula (I1.5.9) to ¢. Since ¢ is unramified, 
the formula reads 


2 genus(E) — 2 = (deg ¢)(2 genus(C) — 2). 


From this we conclude that C also has genus 1; so it becomes an elliptic 
curve, and ¢ becomes an isogeny, if we take ¢(O) as the “zero point” on C. 
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Let E/K be an elliptic curve given by the usual Weierstrass equation 
y? + ayxy + az,y = x? + a,x? + ayx + dg. 
As we have seen (1.5), the differential 


dx 


oO = —————— €) 
2y + a,x +a, 
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has neither zeros nor poles. We now justify its name of invariant differential 
by proving that it is invariant under translation. 


Proposition 5.1. With notation as above, for every Qé E, 
TEO = O. 


(Here tg is the translation-by-Q map (4.7).) 


ProorF. One can prove this proposition by a straightforward (but messy and 
unenlightening) calculation as follows. Write x(P + Q) and y(P + Q) out in 
terms of x(P), x(Q), y(P), and y(Q) using the addition formula (2.3c). Then use 
standard differentiation rules to calculate dx(P + Q) as a rational function 
times dx(P), treating x(Q) as a constant. In this way one can directly verify 
that (for fixed Q). 


dx(P + Q) 7 dx(P) 
2y(P + Q)+a,x(P+Q)+a, 2y(P)+a,x(P) +a, 
We leave the details of this calculation to the reader, and instead give a more 
illuminating proof. 
Since Q, is a 1-dimensional K(E)-vector space (II.4.2), there is a function 
age K (E)*, depending a priori on Q, so that 


T5W = Ag. 
(Note ag # 0 because tg is an isomorphism.) Now 
div(ag) = div(tg§@) — div(w) 
= 14 div(w) — div(w) 
=0 since div(w) = 0 from (1.5). 


Hence dg is a function on E with neither zeros nor poles, so by (II.1.2) it is 
constant, ag € K*. 
Next consider the map 


f:E-P} 
Q — [dg, 1]. 


From the calculation sketched above, even without doing it explicitly, it is 
clear that ag can be expressed as a rational function of x(Q) and y(Q). Hence 
f is a rational map from E to P? which is not surjective. (It misses both 
[0, 1] and [1, 0].) From (11.2.1) and (11.2.3), we conclude that f is constant. 
Therefore 


ag =a = 1 for all QE E, 
which is the desired result. oO 
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Differential calculus is, in essence, a linearization tool. It will come as no 
surprise that the enormous utility of the invariant differential on an elliptic 
curve lies in its ability to linearize the otherwise quite complicated addition 
law on the curve. 


Theorem 5.2. Let E and E' be elliptic curves, let w be an invariant differential on 
E, and let 


dW: E>E 
be two isogenies. Then 
(+ Vito = go + We, 


(N.B. The two “plus signs” in this last equation respresent completely different 
operations. The first is addition in Hom(E’, E), which is essentially addition 
using the group law on E. The second is the more usual addition in the vector 
space of differentials Q,..) 


Proor. If ¢ = [0] or y = [0], the result is clear. If 6 + w = [0], then using 
the fact that 


w* =(—9)* = oF o[—1]*, 
it suffices to check that 
[—1]*o = -o. 
Since 
[—1](x, y) = (x, —y — a,x — as), 
we immediately obtain the desired result 


[-1)* dx 2 dx 
2y+a,xt+a,) 2(—y a,x —a3)+ a,x + a; 
= dx 
Wy +ayx+a,3) 


We now assume that ¢, , and ¢ + w are all non-zero. 

Let (x,, y,) and (x3, y2) be “independent” Weierstrass coordinates for E. 
By this we mean that they satisfy the given Weierstrass equation for E, but 
satisfy no other algebraic relation. (More formally, ([x, y1, 1], [x2, y2, 1]) 
gives coordinates for E x E sitting inside P? x P?. Alternatively, (x,, y,) and 
(x2, y2) are “independent generic points of E” in the sense of Weil (cf. [Ca 
7)).) 

Let 


(x3, ¥3) = (X15 V1) + (2; V2), 
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so x3 and y, are the rational combinations of x,, y,, X2, y2 given by the 
addition formula on E (2.3c). Further, for any (x, y), let w(x, y) denote the 
corresponding invariant differential, 
dx 
(x, y) =". 
( ») 2y + a,x + a3 


Then using the addition formula (2.3c) and the standard rules for differentia- 
tion, we can express (x3, y3) in terms of w(x,, y,) and w(x, y.). This yields 


(X53, V3) = S(% 1, Vas X25 V2)O(X1, V1) + G(X1, V1» X25 V2)O(X2, Yo), 


where f and g are rational functions of the indicated variables. (In doing this 
calculation, remember that since x;, y; satisfy the given Weierstrass equation, 
the differentials dx; and dy, are related by 


(2y; + a,x; + a;)dy; = (3x? + 2a2Xx; + ag = ary) dx;. 


In this way, «(x3, y3) can be expressed as a K(xj, yi, X2, 2) linear com- 
bination of dx, and dx,.) 

We claim that f and g are both identically 1. Clearly this can be proven by 
an explicit calculation, a painful task that we leave for the reader. Instead, we 
use (5.1) to obtain the desired result. Suppose we assign fixed values to x, and 
y>, say by choosing some Qe E and setting 


X2= x(Q) and y, = y(Q). 
Then 
dx, = dx(Q) = 0, $0 (X2, V2) = 0; 
while from (5.1), 


T§O(X1, V1) 

@(X1, Y1)- 

Substituting these in the above expression for w(x3, y3), we find that 
f(*1, V> x(Q), y(Q)) =1 


as a rational function in K(x,, y,). Further, this is true for every point QE. 
It follows that f must be identically 1. Then reversing the roles of x,, y, and 
X2, V2, we see that the same is true for g. 

To recapitulate, we have shown that if 


(x3, y3) 


(x3, V3) = (%1, ¥1) + (X2, ¥2) (+ is addition on E), 
then 
(X35 Y3) = @(X1, ¥1) + @(X2, 2) (+ is addition in Q,). 
Now let (x’, y’) be Weierstrass coordinates on E’, and set | 


(Xr, V) = Psy) — Hay =WRLY) — (Xa, V3) = G+ WX, Y?). 
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Substituting this above yields 
(wo (d + W))(X', y’) = (WO9)(X’, y’) + (OOW)(X', y’), 

which says exactly that 

(9 + p)*o = da + W*o. oO 
Corollary 5.3. Let @ be an invariant differential on an elliptic curve E. Let 
meZ. Then 

[m]*o@ = mo. 

ProoF. The assertion is true for m = 0 (by definition) and m = 1 (clear). From 
(5.2) with ¢ = [m] and w = [1] we obtain 

[m + 1]*@ = [m]*o + o. 
The result now follows by (ascending and descending) induction. oO 


As a first indication of the utility of the invariant differential, we give a new, 
less computational proof of part of (4.2a) 


Corollary 5.4. Let E/K be an elliptic curve, and let me Z, m # 0. Assume either 
that char(K) = 0 or that m is prime to char(K). Then the multiplication-by-m 
map on E is a finite, separable endomorphism. 
ProoF. Let w be an invariant differential on E. Then from (5.3), 

[m]*o = mw # 0, 
so certainly [m] # [0]. Further, (II.4.2c) implies that [m] is separable. O 


As a second application, we examine when a linear combination involving 
the Frobenius morphism is separable. 


Corollary 5.5. Let char(K) = p > 0, let E be defined over F,, let 6: E> E be 

the q'*-power Frobenius endomorphism (4.6), and let m, ne Z. Then the map 
m+nd:E>E 

is separable if and only if pm. 


In particular, the map 1 — ¢ is separable. 


Proor. Let w be an invariant differential on E. From (II.4.2c), a map 
yw :E-E is inseparable if and only if y*w = 0. We apply this to the map 
yw =m + nd. Using (5.2) and (5.3), we compute 


(m + nd)*o = ma + nd*o. 


But ¢*@=0 because ¢ is inseparable (or by direct calculation, since 
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¢* dx = d(x‘) = 0), so 
(m + n¢)*o = mo. 


Now mw = 0 if and only if p|m, which gives the desired result. 
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Let ¢: E, > E, be a non-constant isogeny. Then ¢ induces a map (II.3.7) 
$* : Pic°(E,) > Pic®(E)). 
On the other hand, we have group isomorphisms (3.4) 
k;: E; > Pic®(E,) 
P class of (P) — (0). 

Hence we obtain a homomorphism going in the opposition direction to ¢, 
namely the composition 

E, “3 Pic(E,) & Pic(E,) i> Ey. 


As we will verify below, this map can be computed as follows. Let Q¢ E, and 
choose any Pe E, satisfying ¢(P) = Q. Then 


Ky! 0¢* 0K2(Q) = [deg ¢](P). 


It is by no means clear that the homomorphism xj!0¢* ox, is an 
isogeny; that is, given by a rational map. The process of finding a point P 
satisfying ¢(P) = Q will involve taking roots of various polynomial equa- 
tions. If ¢ is separable, one needs to check that applying [deg ¢] to P causes 
the conjugate roots to appear symmetrically. (That this is so is fairly clear if 
one explicitly writes out xj'0¢*ok,.) If ¢ is inseparable, this approach 
is more complicated. We now show that in all cases, there is an actual isogeny 
which can be computed in the manner described above. 


Theorem 6.1. Let 6: E, > E, be a non-constant isogeny of degree m. 
(a) There exists a unique isogeny 

¢ 1 E, > Ey 
satisfying 

dod =[m]. 
(b) As a group homomorphism, ¢ equals the composition 

E, > Div(E,) & Div(E,) > E, 
Q-(Q)—(0) = Sinp(P) > Vi [np] P. 
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Proor. (a) First we show uniqueness. Suppose ¢ and ¢’ are two such 
isogenies. Then 


(6 — 609 = [m] — [m] = [0]. 
Since tH) is non-constant, it follows from (II.2.3) that ¢ — ¢’ must be constant, 
sog=q’. 
Next suppose that y: E,— E, is another non-constant isogeny, say of 
degree n, and suppose that we know that ¢ and w exist. Then 
Gob)o(od) = dol[nlod =[n]ogod = [nm]. 


Thus gow has the requisite property to be fod. Hence using (II.2.12) to 
write an arbitrary isogeny ¢ as a compositon, it suffices to prove the existence 
of @ when ¢ is either separable or the Frobenius morphism. 


Case 1. ¢ is separable. Since ¢ has degree m, we have (4.10c) 


#kerd=m; 
so clearly 
ker ¢ c ker[m]. 
It now follows immediately from (4.11) that there is an isogeny 
$:E, > E, 
satisfying 
dog =m]. 


Case 2. ¢ is a Frobenius morphism. If ¢ is the q‘*-power Frobenius mor- 
phism, and q = p®, then clearly ¢ is the composition of the p‘*-power Fro- 
benius morphism with itself e times. Hence it suffices to prove that r) exists if 
¢ is the p'*-power Frobenius morphism, and so deg ¢ = p (II-2.11). 

We look at the multiplication-by-p map on E. Let w be an invariant 
differential. Then from (5.3) and the fact that char(K) = p, 


[p]*o = pw = 0. 


Hence from (II.4.2c) we conclude that [p] is not separable, so when [p] is 
decomposed as some Frobenius morphism followed by a separable map 
(11.2.12), the Frobenius morphism does appear. In other words, 


[p] = wo¢? 


for some integer e > 1 and some separable isogeny w. Then we can take 


b= pop. 


(b) Let Qe E,. Then the image of Q under the indicated composition is 
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sum{¢*((Q)—(0))}= Y Leg(P)IP—- yd) Leg(T)IT 


Ped 1(Q) Ted1(0) 
definition of ¢* 


= (dee, 41( yy P- ¥ r) from (4.10a) 


Peg-1(Q) Te¢(0) 
=[deg;glo[#¢(Q)]P _ for any Peg *(Q) 
= [deg ¢]P from (4.10a). 

But by construction, 
4(Q) = $0 9(P) = [deg 4]P, 


so the two maps are the same. oO 


Definition. Let ¢: E, + E, be an isogeny. The dual isogeny to ¢ is the isogeny 
d 1E, > E, 
given by (6.1a). [This assumes ¢ ¥ [0]. If ¢ = [0], then we set é = [0].] 
The next theorem gives the basic properties of the dual isogeny. From 
these basic facts we will be able to deduce a number of very important 


corollaries, including a reasonably good description of the kernel of the 
“multiplication-by-m” map. 


Theorem 6.2. Let 
¢:E, > E, 


be an isogeny. 
(a) Let m = deg ¢. Then 


dod=[m] on Ey; 
dod =[m] on E,. 
(b) Let 1: E, > E, be another isogeny. Then 
10g = god. 
(c) Let wy: E, > E, be another isogeny. Then 
O+y=d +9. 
(d) For all meZ, 
{m]=[m] and deg[m] = m?. 
(e) deg $ = deg ¢. 


& 


(f) p= $. 
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Proor. If ¢ is constant, then the entire theorem is trivial; and similarly for 
(b) or (c) if A or W is constant. We will thus assume that all isogenies are 
non-constant. 

(a) The first statement is the defining property of ¢. For the second, look at 


(g04)0¢ = do[m] =[m]og. 
Hence ¢ o¢ = [ml], since ¢ is not constant. 
(b) Letting n = deg A, we have 
(God)o(Aog) = go[nlodg = [n]odod = [nm]. 

Hence from the uniqueness statement in (6.1a), 

A A LTS 

~POA=AhO>P. 
(c) Let x,, y,€K(E,) and x,, y,€K(E,) by Weierstrass coordinates. We 
start by looking at E, considered as an elliptic curve defined over the field 
K(E,) = K(x, y,). Then another way of saying that ¢: E, > E, is an isogeny 


is to note that 4(x,, y,)€ E,(K(x,, y,)), and similarly for (¢ + W)(x,, y,) and 
W(x 1, ¥;). Now consider the divisor 


D = ((¢ + W)(X1, ¥1)) — (O(%1, V1) — (WO, V1) + (O)€ Divyx,,y,)(E2)- 


By definition of ¢ + y, it sums to O, so by (3.5) it is linearly equivalent to 0. 
Thus there is a function 


fe K(x, yi)(E,) = K(x, Ve X25 V2) 


which, when considered as a function of X>, y2, has divisor D. 

We now switch perspective, and look at f as a function of x,, y,; that 
is, f as a function on E, considered as a curve defined over K(x>, y.). Suppose 
P,€ E,(K(x3, y2)) is a point satisfying 6(P,) = (x2, y2). Then examining D, 
specifically the term —(¢(x,, y,)), we see that f has a pole at P,. (Le. 


f (X15 ¥15 X2, V2) will have a pole if x,, y1, Xz, Y2 Satisfy (x2, V2) = H(%1, V1).) 
Further, 


ordy,(f) = eg(P,): 
Similarly, f has a pole at P, if w(P,) = (x2, y2), and a zero if (¢ + W)(P,) = 
(x2, 2). It follows that as a function of x,, y,, the divisor of f has the form 
(¢ + W)*((X2, Y2)) — B*(X2, V2) — W*((X2, Y2)) + Lini(P) € Divgg yy (Ev), 
where the P;s are in E,(K). [L.e. £n,(P,)€ Divg(E,).] Since this is a divisor of 
a function, it sums to O, so using (6.1(b)) we conclude that 
a ‘ ‘ 
(@ + W)(X2, V2) — P(X25 V2) — W(X2, Ya) 


does not depend on (x, y,). [Le. it is in E,(K).] Putting (x., y,) = O shows 
that it equals O, which completes the proof that 


g+v=b+0. 
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(d) This is true for m = 0 (by definition) and m = 1 (clear). Then using (c) with 
¢ = [m] and w = [1], we find that 


[m+ 1] = (m) + fi); 


so the first assertion holds for all m by (ascending and descending) induction. 
Now led d = deg[m] and look at multiplication by d. 


[d] = (m] o[m] definition of dual isogeny 
= [m7] since [m] = [m]. 


Since the endomorphism ring of an elliptic curve is a torsion-free Z-module 
(4.2b), it follows that d = m?. 
(ec) Let m = deg ¢. Then using (d), 


[m?] = [deg[m]] = [deg(¢ 0 4)] = [(deg 4)(deg ¢)] = [m(deg 9)]. 


Hence again using (4.2b), we conclude that m = deg ¢. 
(f) Again let m = deg ¢. Then using (a), (b) and (d), 


$o¢=[n] =(m] =fod= od 


Therefore 
o=¢. Oo 
Definition. Let A be an abelian group. A function 
d:A-R 


is a quadratic form if 
(i) d(«) = d(—a) for all ae A; and 
(ii) the pairing 
AxA—-R 
(a, B) > d(a + B) — d(a) — a(B) 

is bilinear. 
A quadratic form d is positive definite if 
(ili) da) 20 __ for all we A; and 
(iv) d(a) =0 if and only if « = 0. 
Corollary 6.3. Let E, and E, be elliptic curves. The degree map 

deg : Hom(E,, E,) > Z 


is a positive definite quadratic form. 


Proor. Everything is clear except for the fact that the pairing 


<o, W> = deg(¢ + p) — deg(¢) — deg(y) 
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is bilinear. But using the injection 
[ ]:Z2—>End(E,), 
we have 
[<¢, W>] = [deg(¢ + w)] — [deg(¢)] — [deg(y)] 
a A A 

=(¢+ Wo@+y)-—go¢-—Woy 

=fow+ od from (6.2c). 
But again using (6.2c), we see that this last expression is linear in both @ 


and w. oO 


Corollary 6.4. Let E be an elliptic curve and me Z, m # 0. 
(a) deg[m] = m?. 
(b) If char(K) = 0 or ifm is prime to char(K), then 


E({m] = (Z/mZ) x (Z/mZ). 
(c) If char(K) = p, then either 
E[p*] = {0} — foralle = 1, 2, 3,...; or 
E[p°']=Z/p°Z for alle = 1,2, 3,.... 
(Recall that E[m] is another notation for ker[m], the set of points of E having 


order m.) 


ProoF. (a) This was proven above (6.2d). We record it again here in order to 
point out that there are many other ways of proving this fact (e.g., exers. 
3.7, 3.8, 3.11), and that the fundamental description of E[m] given in (b) 
follows formally from (a). 

(b) From the given conditions and the fact that deg[m] = m7, it follows that 
[m] is a finite, separable map. Hence from (4.10c), 


#E[m] = deg[m] = m’. 
Further, for every integer d dividing m, we similarly have 
#E[d] = d?. 


Writing the finite group E[m] as a product of cyclic groups, one immediately 
sees that the only possibility is 


Em] = (Z/mZ) x (Z/mZ). 
(c) Let ¢ be the p""-power Frobenius morphism. Then 
#E[p*]=deg.[p*] — (4.10a) 
= (deg,(60))? — (6.2) 
=(deg,)* — (11.2.11b). 
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From (6.2e) and (II.2.11c), 
deg ¢ = deg ¢ = p, 

so there are two cases. If ¢ is inseparable, then deg, é = 1,so0 

#E[p*] =1 for all e. 
Otherwise ¢ is separable, so deg, ¢ = p and 

#E[p*] = p° for all e. 
This last is easily seen to imply that 

E[p*] = Z/p°Z. 


(For a more complete analysis of E[p*°] in characteristic p, and its relation- 
ship to End(E), see chapter V, §3, 4.) oO 


§7. The Tate Module 


Let E/K be an elliptic curve and m > 2 an integer (prime to char(K) if 
char(K) > 0.) As we have just seen (6.4b), 


E[m] = (Z/mZ) x (Z/m2), 


the isomorphism being one between abstract groups. However, the group 
E[m] comes equipped with considerably more structure. Namely, each 
element of the Galois group Gg)x acts on E[m], since if [m]P = O, then 
[m](P’) = ([m] P)’ = O. We thus obtain a representation 


Ggjx > Aut(E[m]) = GL,(Z/mZ), 


where the latter isomorphism involves choosing a basis for E[m]. Individ- 
ually, for each m, these representations are not completely satisfactory, 
because it is generally easiest to deal with representations whose matrices 
have coefficients in a ring having characteristic 0. What we will do is to fit 
them together for varying m so as to achieve this end, the motivating example 
being the inverse limit construction of the 7-adic integers Z, from the finite 
groups Z/¢"Z. 


Definition. Let E be an elliptic curve and ?eZ a prime. The (¢-adic) Tate 
module of E is the group 

T(E) = lim E[¢"], 
the inverse limit being taken with respect to the natural maps 

Eve] 9 eper, 


Since each E[?"] is a Z/¢"Z-module, we see that the Tate module has a 
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natural structure as a Z,--module. Note that since the multiplication-by-? 
maps are surjective, the inverse limit topology on T,(E) is equivalent to the 
f-adic topology it gains by being a Z,-module. 


Proposition 7.1. As a Z;-module, the Tate module has the following structure. 
(a) T(E) = Z, x Z, if ? # char(K). 
(b) 7,(E) = {0} or Z, if p = char(K) > 0. 


Proor. This follows immediately from (6.4b, c). O 


Now the action of Gg)x on each E[¢"] commutes with the multiplication- 
by-¢ maps used to form the inverse limit, so Gg,x also acts on T;(E). Further, 
since the pro-finite group Gg,x acts continuously on each finite (discrete) 
group E[?"], the resulting action on T/(E) is also continuous. 

Definition. The ¢-adic representation (of Gx )x on E), denoted p;, is the map 
Pe: Gxjx > Aut(T;(E)) 
giving the action of Gg,x on T;(E) as described above. 


Convention. From here on, the number / will always refer to a prime number 
distinct from the characteristic of K. 


Remark 7.2. Notice that by choosing a Z,-basis for T(E) we obtain a 
representation 

Gijx > GL,(Z,); 
and then the natural inclusion Z; < Q, gives 

Gkjx > GL2(Q,). 
In this way we obtain a 2-dimensional representation of Gg)x over a field of 
characteristic 0. 
Remark 7.3. The above construction is analogous to the following one, which 
may be more familiar. Let 

Hen & K* 


be the group of (¢”)'*-roots-of-unity. Then raising to the /'*-power gives maps 
f 
Hens > Ben, 
and we can take the inverse limit as above to form the Tate module of K 


T,(u) = lim pn. 
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As an abstract group, 
Tw) = Z,. 
Further, Gx/x acts on each pn, so we obtain a 1-dimensional representation 
Ggx > Aut(Ty(q)) & ZP. 


For K = Q, this cyclotomic representation is surjective, which is equivalent 
to the fact that the ?-power cyclotomic polynomials are all irreducible over 
Q. 
The Tate module is also a useful tool for studying isogenies. If 


¢:E,>E, 

is an isogeny of elliptic curves, then ¢ gives maps 

¢: E,[¢"] > E,[?"], 
and so it induces a (Z,;-linear) map 

be: TAE,) > T(E). 
We thus obtain a homomorphism 

Hom(E,, E,) > Hom(T,(E,), T(E). 
(Notice if E, = E, = E, then the map 
End(E) — End(T,(E)) 


is even a homomorphism of rings.) It is not hard to show that the 
above homomorphism is injective (see exer. 3.12), but to really analyze 
Hom(E,, F,) we will need the following stronger result. 


Theorem 7.4. Let E, and E, be elliptic curves. Then the natural map 
Hom(E,, E,) ® Z; > Hom(T;(E,), T(E2)) 
$b, 


is injective. 


Proor. We start by proving the following statement. 
Let M c Hom(E,, E,) be a finitely generated subgroup, and let 
(*) M* = {¢eHom(E,, E,):[m]ogeM for some integer m > 1}. 


Then M“* is also finitely generated. 
To prove (*), we extend the degree mapping to the finite dimensional real 
vector space M @ R, which we equip with the natural topology inherited 
from R. Then the degree mapping is clearly continuous, so the set 


U = {EM @R: deg ¢ < 1} 
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is an open neighborhood of 0. Further, since Hom(E,, E,) is a torsion-free 
Z-module (4.2b), there is a natural inclusion 


M*’ <M@R; 
and clearly 
M* QU = {0}, 


since every non-zero isogeny has degree at least 1. Hence M** is a discrete 
subgroup of the finite dimensional vector space M ®R, so it is finitely 
generated. 

We turn now to the proof of (7.4). Let ¢6¢ Hom(E,, E,) ® Z;, and suppose 
that ¢, = 0. Let 


M c Hom(E£,, E,) 


be a finitely generated subgroup so that ge M @ Z,. Then with notation as 
above, M“‘’ is finitely generated, so it is also free (since it is torsion-free 
(4.2b)). Let 


¢,,---, 9 € Hom(K,, E,) 
be a basis for M4”, and write 
@=4,0,+°'' +a, with aeZ,. 
Now choose a,,..., a,¢Z so that 
a;=«; (mod @"). 
Then the fact that ¢, = 0 implies that the isogeny 
wv = [a,]0o¢, +: + [a,Jo¢,eHom(E,, E,) 


annihilates E,[/"]. It follows from (4.11) that y factors through [/"], so there 
is an isogeny 


AcHom(E,, E,) with p=[¢"Jod. 
Further, / is in M“’’, so there are integers b,¢ Z such that 
A=[b,]o¢, +:°: + [BJ og. 
Then, since the ¢,’s form a Z-basis of M“’, we have 
a; = ¢"b,, 
hence 
4;=0 (mod #”). 


Since this holds for all n, it follows that all «, = 0, so ¢ = 0. [N.B. The reason 
it is so important to use M* is that it is essential that the Z-basis used to 
express ¢, w, and 4 not depend on the choice of 7”.] O 
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Corollary 7.5. Let E, and E, be elliptic curves. Then 
Hom(E,, E,) 


is a free Z-module of rank at most 4. 


Proor. Since Hom(E,, E,) is torsion-free (4.2b), it follows that 
rankz Hom(E,, E,) = rankz, Hom(E,, E2) ® Z;, 


in the sense that if one is finite, then they both are and they are equal. Next, 
from (7.4), we have the estimate 


rankz, Hom(E,, E,)@ Z; < rankz, Hom(T,(E,), T-(E2)). 
Finally, choosing Z,-bases for T,(E,) and T,(E,), we see from (7.1a) that 
Hom(T;(E,), T;(E2)) = M2(Z,), 


where M,(Z;) is the group of 2 x 2 matrices with Z, coefficients. Since 
M,(Z,) has Z;-rank equal to 4, this gives the desired result. oO 


Remark 7.6. By definition, an isogeny is defined over K if it commutes with 
the action of Gg),. Similarly, we can define 


Hom,(T7;(E,), T-(E2)) 


to be the group of Z,-linear maps from T,(E,) to T,(E,) which commute with 
the action of Gg)x as give by the ?-adic representation. Then we have a 
homomorphism 


Hom,(E,, E,) ® Z; > Hom, (7;(E,), T(E2)), 


which from (7.4) is injective. It turns out that in many cases this map is 
actually an isomorphism. 


Theorem 7.7. The natural map 
Hom,(E,, E,) @ Z; > Hom,(T;(E,), T:(E2)) 
is an isomorphism if: 


(a) ((Ta 7]) K is a finite field; 
(b) ({Fa 1]) K is a number field. 


The proofs, which make heavy use of abelian varieties of higher dimen- 
sions, are unfortunately beyond the scope of this book. Indeed, the methods 
used in proving (7.7b) include virtually all of the tools needed for Faltings’ 
proof of the Mordell conjecture. 

To understand what (7.7) says, one should think of the Tate module as a 
homology group, specifically as the first homology with Z,-coefficients. Then 
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(7.7) gives a characterization of when a map between homology groups 
comes from an actual geometric map. 


Remark 7.8. Another natural question to ask is how large is the image 
p¢(Gg/x) in Aut(T;(E)). The following theorem of Serre provides an answer 
for number fields. We do not include the proof. (But see (IX.6.3) and exer. 9.7). 


Theorem 7.9 (Serre). Let K be a number field and E/K an elliptic curve without 
complex multiplication. 

(a) pe(Gg)x) is of finite index in Aut(T,(E)) for all primes ¢. 

(b) p-(Gg/x) = Aut(T,(E)) for all but finitely many primes ¢. 


Proor. [Se 5] and [Se 6]. O 


Remark 7.10. Let E/K be an elliptic curve. Then just as above, the elements 
of End,(E) commute with the elements of Gg, in their action on T,(E). If 


End,(E) = Z, 


this gives little information; but if E has complex multiplication, then this 
forces the action of Gg,x on T,(E) to be abelian (exer. 3.24). In particular, 
adjoining the coordinates of /"-torsion points to K leads to explicitly con- 
structed abelian extensions, in much the same manner that abelian exten- 
sions of @ are obtained by adjoining roots of unity. (See appendix C §11 for a 
brief discussion.) 
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Let E/K be an elliptic curve. For this section we fix an integer m > 2, prime 

to p = char(K) if p > 0. We will make frequent use of (3.5), which says that 

&n,(P,) is the divisor of a function if and only if Xn; = 0 and X[n,]P, = O. 
Let T¢ E[m]. Then there is a function fe K(E) such that 


div(f) = m(T) — m(O). 


Letting T’cE with [m]T’=T, there is similarly a function ge K(E) 
satisfying 


div(g) = [m]*(T) — [m]*(O) = s » RP: + R) —(R). 
(Note #E[m] = m? (6.4b) and [m?]T’ = O.) One immediately verifies that 


the functions f o[m] and g™ have the same divisor, so multiplying f by an 
element of K*, we may assume that 


fo[m] =g”. 
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Now suppose that Se E[m] is another m-torsion point (S = T is allowed). 
Then for any point X € E, 


g(X + S)" = f([m]X + [m]S) = f([m]X) = g(X)”. 
Hence we can define a pairing 
Cm: Elm] x E[m] > p,, = m™ roots of unity 
by setting 
en(S, T) = g(X + S)/g(X), 


where X EE is any point such that g(X + S) and g(X) are both defined and 
non-zero. Note that although g is only defined up to multiplication by an 
element of K*, e,,(S, T) does not depend on this choice. This pairing is called 
the Weil e,,-pairing. We begin by giving some of its basic properties. 


Proposition 8.1. The Weil e,,-pairing is: 


(a) Bilinear: Cm(S, + Sz, T) = e(S,, T)@n(S2, T) 
en(S, T, + T,) = em(S, T,)em(S, T,); 
(b) Alternating: Cm(S, T) = n(T, S); 


(c) Non-degenerate: If e,,(S, T) = 1 for all Se E[m], then T = O; 
(d) Galois invariant: For all o € Gg)x, 


em(S, T)’ = Cm(S”, T’); 
(e) Compatible: If Se E[mm’] and Te E[m], then 
Cmm'(S; T) = m(Lm']S, T). 


ProoF. (a) Linearity in the first factor is easy. 


_ g(X +S, + 82) g(X +81) 
Em(Sy + S3, T) = g(X + S,) g(X) _ Cm(S2, T)en(S1; T). 


(Note how useful it is that in e,,(S,, T) = g(Y + S,)/g(Y), we may choose 
any value for Y, such as Y = X + S,.) For the second, let f,, fo, f3, 91, 92> 93 
be functions as above for T,, T,, and T;, = T, + T,. Choose he K(E) with 
divisor 
div(h) = (T, + T,) — (T,) — (Tz) + (O). 
Then 
div(f3/f: fo) = m div(h), 


SO 


fs=ifoh™ for some ce K*. 
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Compose with the multiplication-by-[m] map, use f;o[m] = g?", and take 
m'*-roots to find 
93 = €'9192(ho[m)]). 
Now 
gx(X +S) _ 9i(X + S)g2(X + S)h([m] x + [m]5) 
93(X) 91(X)go(X)h([m] x) 
= Cm(S, T,)em(S, T,). 


en(S, T, sp T,) i 


(b) From (a) we have 
en(S + T, S + T) = e,,(S, S)e,(S, T)e,,(T, S)e,(T, T), 


so it suffices to show that e,,(T, T) = 1 for all Te E[m]. For any Pe E, recall 
that tp: E > E denotes the translation-by-P map (4.7). Then 


m—-1 m-1 
aiv( TH] forur) =m x ({1 — iT) — ((—-i]T) =0. 


Hence | |<o f © tr is constant; and if we choose some T’€ E with [m]T’ = 
T, then |] 9 0 tj7- is also constant, because its m'"-power is the above 
product of f’s. Evaluating the product of g’s at X and X + T’ yields 


Tox +i]T)= in g(X + [i+ 1]T. 
Now cancelling like terms gives 
g(X) = g(X + [m]T’) = g(X + T), 
so 
enA(T, T) = 9(X + T)/g(X) = 1. 
(c) Ife,,(S, T) = 1 for all Se E[m], so g(X + S) = g(X) for all Se E[m], then 
from (4.10), g = ho[m] for some function he K(E). But then 
(ho[m])" = g" = fo[m], 
so f = ch” for some constant ce K*. Hence 
m div(h) = div(f) = m(P) — m(0), 
so 
div(h) = (P) — (0). 


Therefore P = O (3.3). 
(d) Let o€ Ggjx. If f, g are the functions for T as above, then clearly f’, g’ 
are the corresponding functions for T’. Then 


g?(X? + S’) - (“ + ay 


ae T° = 
ene g°(X’) g(X) 


= &(S, T)’. 
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(ec) Taking f, g as above, we have 

div(f™) = mm'(T) — mm'(0) 
and 

(go[m'])"™ =(fo[mm'])™. 
Then from the definition of ¢,,,,,, and e,,, 


_ g0lm'}(X +S) _ g(¥ + [m']S) _ 
€mm'(S; T) = go [m’'](X) = g(Y) €m(Lm 1S, T). | 


The basic properties of the Weil pairing imply its surjectivity, as we now 
show. 


Corollary 8.1.1. There exist points S, T€ E[m] such that e,,(S, T) is a primitive 
m'*-root of unity. In particular, if E[m] < E(K), then p,, < K*. 


Proor. The image of e,,(S, T) as S and T range over E[m] is a subgroup of 
H,,, Say equal to py. It follows that for all S, Te E[m], 
1 =e,,(S, T)* = e,,((d]S, T). 


The non-degeneracy of the e,,-pairing now implies that [d]S = O; and since 
S is arbitrary, we must have d =m. Finally, if E[m] c E(K), then from 
the Galois invariance of the e,,-pairing we see that e,,(S, T)¢K* for all 
S, Te E[m]. Therefore p,, < K*. oO 


Recall that if E, and E, are elliptic curves and ¢: E, > E, is an isogeny 
connecting them, then there is a dual isogency d : E, > E, going in the other 
direction. The following proposition says that ¢ and b are dual (i.e. adjoint) 
with respect to the Weil pairing. 


Proposition 8.2. Let Se E,[m], Te E,[m], and ¢: E, > E, an isogeny. Then 
en(S, $(T)) = en(G(S), T). 
Proor. Let 
div(f) = m(T)—m(O) and fo[m] =g"™ 
be as above. Then 


€m(PS, T) = g(X + S)/g(X). 
Choose a function he K(E) so that 


$*((T)) — $*((0)) = GT) — (0) + div(h). 
Such an h exists because, by (6.1b), ¢ T is precisely the sum of the points of the 
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divisor on the left-hand side of this equality. Now 


div (Z a) = $* div(f) — m div(h) 
= m(¢T) — m(0), 


and 
( god J =folmles _ (£2*) otm 
ho[m]) — (ho[m])" \ h™ ; 
Thus from the definition of the e,,-pairing, 
rar _ (gog/ho[m])(X + S) 
ents OT) =" Godfholm]y(X) 


_9(bX + 9S) h([m]X) 
g(@X) — h([m] X + [m]S) 


= em(PS, T). O 


Let ¢ be a prime number different from char(K). We would like to fit 
together the pairings 


en: Elf") x E[?"] > pen 
for alln = 1, 2,... to give an ¢-adic Weil pairing on the Tate module 
e: T(E) x TE) > T;(y). 
Recall that the inverse limits for T(E) and T,(p) are formed using the maps 
Eve] Sele] and py > yn. 


Thus to show that the e;.-pairings are compatible with taking the inverse 
limit, we must show that for any S, Te E[¢"**], 


€mui(S, TY = en((¥1S, [2] T). 
But by linearity (8.1a), 
€mn+i(S, TY = esnei(S, [4] T); 


and then the desired result follows by applying (8.1e) to (S, [7] T) with m = @" 
and m’ = @. This proves that e is well-defined, and it inherits all of the prop- 
erties from (8.1) and (8.2), which completes the proof of the following. 


Proposition 8.3. There exists a bilinear, alternating, non-degenerate, Galois 
invariant pairing 
e: TE) x T(E) > Tw). 


Further, if 6: E, > E, is an isogeny, then @ and its dual isogeny 6 are adjoints 
for the pairing. 
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§9. The Endomorphism Ring 


Let E/K be an elliptic curve. We are interested in characterizing which rings 
may occur as the endomorphism ring of E. So far, the following information 
has been collected: 


(i) End(E) is a characteristic 0 integral domain of rank at most 4 over Z 
((4.2c), (7.5) 
(ii) End(E) possesses an anti-involution ¢ > @ (6.2b, c, f); 
(iii) For ¢e End(E), we have d¢eZ, ¢¢ > 0, and ¢¢ = 0 if and only if 6 = 0 
((6.2a), (6.3)). 


It turns out that any ring satisfying (i)—(iii) is of a very special sort. After 
giving the relevant definitions, we will give the general classification of rings 
satisfying (i)—(iii), which may then be applied to the particular case of End(£). 


Definition. Let % be a (not necessarily commutative) algebra, finitely gen- 
erated over Q. An order & of & is a subring of # which is finitely generated 
as Z-module and which satisfies 2 @ Q = &. 


Example 9.1. Let % be a quadratic imaginary field and 0 its ring of integers. 
Then for each integer f > 0, the ring Z + f@ is an order of #. (These are all 
the orders of #. See exer. 3.18.) 


Definition. A quaternion algebra is an algebra of the form 
KH =Q+Qa+ Of + Oaf 
with the multiplication rules 
a’, Be Q, a? <0, Bp? <0, Ba = —af. 


Remark 9.2. The quaternion algebras defined above are more properly called 
definite quaternion algebras over Q. But since these are the only quaternion 
algebras that we will deal with in this book, we will generally drop the 
appellation “definite”. 


Theorem 9.3. Let &@ be an integral domain of characteristic 0 having the 
following properties. 


(i) & has rank at most 4 (as a Z-module). Boer, we 
(ii) & possesses an anti-involution « > &. (Le.a + B =&+ B, a8 = pa, d =a, 
and for «EZ, & = «.) 
(ili) For ae &, a& is a non-negative integer; and «& = 0 if and only if « = 0. 


Then & is one of the following three sorts of rings. 


(a) 2=Z. 
(b) & is an order in a quadratic imaginary extension of Q. 
(c) is an order in a quaternion algebra over Q. 
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Proor. Let # = #® Q. Since & is finitely generated (as a Z-module), it 
suffices to show that either # = Q, #/Q is a quadratic imaginary extension, 
or #/Q is a quaternion algebra. We extend the anti-involution to #, and 
define a (reduced) norm and trace from ¥ to Q by 


Nao=od and Ta=a+2. 
We make several observations about the trace. First, since 
Ta = N(a — 1)— Na — 1, 


Ta is in Q. Second, the trace is clearly Q-linear. Third, if «¢ Q, then Ta = 2a. 
Finally, if we % satisfies Ta = 0, then 


0 = (a — a)(a — &) = a? — (Tala + Na = a? + Na, 
so a? = —Na. Thus for elements with Tx = 0, either « = 0, or else «? € Q and 
a? <0. 

Now if # = Q, we are done. Otherwise we can choose some «€ %, « # Q. 
Replacing « by « — 47, we may assume Tx = 0. Then from above «? < 0, 
so Q(«) is a quadratic imaginary field. If # = Q(a), we are again done. 

Assume now 4% # Q(a), and choose Be #%, B¢ O(a). As above, we may 
replace B by 

B —3TB — 3(T(@B)/a*)a. 


Recalling that Tx =0 and «?¢Q*, one immediately verifies that TB = 
T(ap) = 0. In particular, 6? < 0. Further, writing 


Ta =TB=T(ap)=0 as «= —4,B = —f, af = —fa, 
we see by substituting the first two equalities into the third that 
ap = — Ba. 
Hence 
Q[a, B] = Q+ Qa + OP + Oaf 


is a quaternion algebra. It remains to prove that Q[a, 8] = %. To do this, it 
suffices to show that 1, a, B, «8 are Q-linearly independent, since then Q[a, B] 
and % will both have dimension 4 over Q. 

Suppose 


w+xa+ yp + zasp =0 
with w, x, y, z€Q not all zero. Taking traces yields 
2w=0, so w=0. 
Then multiplying by « on the left and f on the right gives 
(xa?)B + (vB?) + za7B? = 0, 


contradicting the Q-linear independence of 1, «, B. (Remember «7, 6? € Q*.) 
This completes the proof that # = OQ[a, f]. O 
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Corollary 9.4. The endomorphism ring of an elliptic curve is either Z, an order 
in a quadratic imaginary field, or an order in a quaternion algebra. 


ProoF. As indicated above, we have proven all of the facts ((4.2b), (6.2), (6.3), 
(6.5)) needed to apply (9.3) to End(E). oO 


It turns out that if char(K) = 0, then End(E) ® Q cannot be a quaternion 
algebra. We will give an analytic proof of this later (VI.6.1b). (See also 
exer. 3.18b.) On the other hand, if K is a finite field, then End(£) is always 
larger than Z (IV.3.1), and there are always elliptic curves (defined over K) 
with End(E) non-commutative (IV.4.1c). The complete description of End(E) 
can be found in Deuring’s comprehensive article [De 1]. 

The following definition and result will be used in the exercises. 


Definition. Let p be a prime (or 00), and let Q, be the completion of Q at p 
(Q,, = R). A quaternion algebra & is said to split at p if 
H @ Q, = M,(Q,). 


(Here M, is the algebra of 2 x 2 matrices.) Otherwise % is ramified at p. 
Define the invariant of % at p by 


aoe 0 = if & splits at p 
pa 4 if H ramifies at p. 


Theorem 9.5. (a) Let # be a quaternion algebra. Then inv,(.#) = 0 for all but 
finitely many p, and 


Yinv, # €Z. 
p 


(Note that the sum includes p = 00.) 
(b) Two quaternion algebras # and XX” are isomorphic (as Q-algebras) if and 
only if inv,(#) = inv,(”) for all p. 


ProoF. This is a very special case of the fact that the central simple algebras 
over a field K are classified by the Brauer group Br(K) = H?(Gxx, K*) 
({[Se 9, X §5]), and the fundamental exact sequence from class field theory 
([Ta 3, §9.6]) 


Z, inv, 


0 > Br(Q) > @Br(Q,) 2% Q/Z 0, 
Pp 


where 
~ (Q/Z p#o 
B 
ee in, ie 3} p=o. 


Quaternion algebras (definite and indefinite) correspond to elements of exact 
order 2 in Br(Q). O 
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§10. The Automorphism Group 


If an elliptic curve is given by a Weierstrass equation, it is in general a 
non-trivial matter to determine the exact structure of its endomorphism ring. 
For the automorphism group, however, the situation is much simpler. 


Theorem 10.1. Let E/K be an elliptic curve. Then its automorphism group 
Aut(E) is a finite group of order dividing 24. More precisely, the order of 
Aut(E) is given by the following list: 
2 if j(E) # 0, 1728 
4 if j(E) = 1728 and char(K) # 2, 3 
6 if j(E) = 0 and char(K) # 2, 3 
12 if j(E) = 0 = 1728 and char(K) = 3 
24 if j(E) = 0 = 1728 and char(K) = 2. 


Proor. We restrict attention to the case char(K) # 2, 3 (see (1.3) and (A.1.2c)). 
Then E is given by an equation 

E:y? =x? + Ax +B, 
and every automorphism has the form 

x=ux’ y=uty’ 
for some ue K*. Such a substitution will give an automorphism of E if and 
only if 

u*A=A and u°B=B. 


Hence if AB 4 0 (so j(E) 4 0, 1728), then the only possibilities are u = +1; 
while if B = 0 (j(E) = 1728) or A = 0 (j(E) = 0), then u satisfies respectively 
u* = 1 or u® = 1, so Aut(E) will be cyclic of order 4 or 6. Oo 


It is worth remarking that the proof of (10.1) actually gives the structure of 
Aut(E) as a Gg/x-module (at least for characteristic #2, 3). We record this in 
the following corollary. 


Corollary 10.2. Let E/K be an elliptic curve over a field of characteristic #2, 
3, and let n = 2 (resp. 4, resp. 6) if j(E) 40, 1728 (resp. j(E) = 1728, resp. 
j(E) = 0). Then as Gg jx-modules, 


Aut(E) & ,. 


ProoF. In proving (10.1), we showed that the map 
[ Jim, >Aut(E) [C(x y) = (0x, Cy) 


is an isomorphism of abstract groups. But this map clearly commutes with 
the action of Gg), and so it is an isomorphism of Gx,x-modules. oO 
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EXERCISES 
3.1. Show that the polynomials 
x* — byx? —2bgx —bg and 4x3 + b,x? + 2b,x + be 


appearing in the duplication formula (2.3d) are relatively prime if and only if the 
discriminant A of the corresponding Weierstrass equation is non-zero. 


3.2. (a) Find a triplication formula, analogous to the duplication formula given in 
(2.3). (Ie. Express x({3] P) as a rational function of x(P) and a,,..., ag.) 
(b) Use the result from (a) to show that if char(K) # 3, then E has a non-trivial 
point of order 3. Conclude that if gcd(m, 3) = 1, then [m] #4 [0]. (Warning: 
This exercise probably requires a computer with a symbolic processor.) 


3.3. Assume char(K) # 3 and Ae K*. Then the curve 
E:X3+Y?= AZ? 


has genus 1! (exer. 2.7), so together with the point O = [1, —1, 0] it becomes an 
elliptic curve. 

(a) Show that three points of E add to O if and only if they are collinear. 

(b) If P = [X, Y, Z]eE, show that 


—P=[Y,X,Z] 
and 
(2]P = [—Y(X? + AZ), X(Y? + AZ?), X9Z — Y¥3Z]. 


(c) Develop an analogous formula for the sum of two distinct points. 
(d) Prove that E has j-invariant 0. 


3.4. Referring to example (2.4), express each of the points P,, P,, P;, Ps, P;, Pg in the 
form [m]P, + [n]P3 with m, ne Z. 


3.5. Let E/K be given by a singular Weierstrass equation. 
(a) Suppose that E has a node, and let the tangent lines at the node be 
y=a,x + B,i= 1,2. 
(i) Ifa,e€K, prove that «,¢K and 


E,,(K) & K*. 


(ii) If a, ¢K, prove that L = K(a,, ,) is a quadratic extension of K. From 
(i), E,s(K) ¢ E,,(L) & L*. Show that 


E,(K) & {te L* : N, x(t) = 1}. 
(b) Suppose that E has a cusp. Prove that 
E,,(K) & K*. 


3.6. Let C be a smooth curve of genus g, Pye C, and n > 2g + 1 an integer. Let 
{ fo. fi» --->tm} be a basis for #(n(P,)) and 


$ = [fos -+-sfml i: C > P™ 
the map determined by the fs. 
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3.7. 


3.8. 


(a) Prove that the image C’ = ¢(C) is a curve in P”. 
(b) Prove that the map ¢: C > C’ has degree 1. 
(c)* Prove that C’ is smooth, and so that ¢: C > C’ is an isomorphism. 


This exercise gives an elementary (highly computational) proof that the 
multiplication-by-m map has degree m?. We will assume char(K) # 2, 3, and 
take an elliptic curve 


E:y?=x3+Ax4+B. 
Define division polynomials ,,¢€ Z[A, B, x, y] inductively as follows: 
w=1, 2 = 2y, 
Ws = 3x* + 6Ax? + 12Bx — A’, 
Wa = 4y(x® + 5Ax* + 20Bx3 — 5A?x? — 4ABx — 8B? — A), 
Vomet = Vm+2Vim —Vm-1Vinvr = (mM > 2), 
22m = Vl Vm+20m—1 — Vm—2 Witt) (m 2 2). 


(One easily checks that the w,,,’s are polynomials.) Further define polynomials 
bm and w,, by 


bmn = xn a Wn+t Win—1 
4VOm, = Vn+2Vn—t =e Um—-2War+1- 


(a) Prove that Wins ms Y '@Qm (for m odd) and (2y)"!Wns bms Om (for m even) are 
polynomials in Z[A, B, x, y?]. Hence replacing y? by x> + Ax + B, we will 
treat them as polynomials in Z[A, B, x]. 

(b) As polynomials in x, show that 


bn(X) = x" + lower order terms, 
Wm(X)? = m2x”’-! + lower order terms. 


(c) If A = —16(4A3 + 27B?) #0, then ¢,,(x) and y,,(x)? are relatively prime 
polynomials (in K[x].) 
(d) Again assume A # 0, so E is an elliptic curve. Let P = (xo, yo)€ E. Then , 


eee ( bn(P) a) 


Wm(P)?” Yn( P)? 
(ce) The map [m] : E > E has degree m?. 


(a) Let E/C be an elliptic curve. We will later show (VI.5.1.1) that there is a 
lattice L < C and a complex analytic isomorphism of groups C/L = E(C). 
(N.B. This isomorphism is given by convergent power series, not by rational 
functions.) Assuming this, prove that 


deg[m] =m? and E[m] = Z/mZ x Z/mZ. 


(b) Let E/K be an elliptic curve with char(K) =0. Using (a), prove that 
deg[m] = m?. [Hint: If K can be embedded in C, there is no problem. 
Reduce to this case. ] 
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3.9. 


3.10. 
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Let E/K be an elliptic curve given by a homogeneous Weierstrass equation 

F(X, X1, Xz) = 0. (Le. x = Xo/X, and y = X,/X, are Weierstrass coordinate 

functions.) Let Pe E. 

(a) Show that [3] P = O if and only if the tangent line to E at P intersects E only 
at P. 

(b) Show that [3] P = O if and only if the Hessian matrix 


(0° F/0X;0X)(P))o<ij<2 


has determinant 0. 
(c) If char(K) ¥ 3, show that E[3] consists of 9 points. 


Let E/K be an elliptic curve with Weierstrass coordinate functions x, y. 
(a) Show that the map 


¢:E>P> 
¢ =[1, x, y, x7] 


maps E isomorphically onto the intersection of two quadric surfaces in P°. 
In particular, if H < P? is a hyperplane, then H 7 ¢(E) consists of 4 points 
(counted with appropriate multiplicity.) 

(b) Show that 4(O) = [0, 0, 0, 1], and the hyperplane {T) = 0} intersects ¢(E) at 
the single point ¢(O) with multiplicity 4. 

(c) Let P, 0, REE. Prove P+ Q + R= O if and only if 4(P), 6(Q), ¢(R), ¢(O) 
are coplanar. 

(d) Let PeE. Prove that [4]P = O if and only if there exists a hyperplane 
H c P® such that H 7 ¢(E) = {P}. Show that if char K # 2, then there are 
exactly 16 such points. 

(ce) Assume char(K) # 2. Show that after a linear change of variables (over K), 
E has a model of the form 


T§ + Tz = ToT; 
T? + aT? = TyTs. 


For what value(s) of « is this model non-singular? 
(f) Using the model in (e) and the addition law described by (c), derive formulas 
for —P, P, + P,, and [2]P analogous to those given in (2.3). 


. Generalize exercise 3.10 as follows. Let E/K be an elliptic curve, and choose a 


basis f,, -.-,fm for £(m(O)). Then for m > 3, the map 
¢@:E>p™! 
@ = Lh. into Smal 


maps E isomorphically onto its image (exer. 3.6). 

(a) Show that ¢(E) is a curve of degree m. (Ie. The intersection of ¢(E) and a 
hyperplane, counted with multiplicities, consists of m points.) [Hint: Find 
a hyperplane which intersects ¢(E) at the single point ¢(O), and show that 
it intersects with multiplicity m.] 

(b) Let P,,..., P,-,¢E. Prove that P, +-:-+ P,_, =O if and only if 4(P,), 
.++) @(Pn—1), $(O) lie in a hyperplane. (Note that if some of the P,’s coincide, 
then we require the hyperplane to intersect ¢(E) with correspondingly 
higher multiplicity.) 
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3.12. 


3.13. 


3.14. 


3.15. 


3.16. 


(c)* Let PEE. Show that [m]P =O if and only if there is a hyperplane 
Hc P™"? such that HO @(E) = {P}. If char(K) =0 or char(K) > m, 
prove that there are exactly m? such points. Deduce that deg[m] = m?. 


Let m > 2 be an integer, prime to char(K) if char(K) > 0. Prove that the natural 
map 


Aut(E) > Aut(E[m]) 
is injective except for m = 2, when the kernel is + 1. (Do not use (10.1).) 


Generalize (4.12) as follows. Let C/K be a smooth curve, and let Isom(C) denote 

the group of isomorphisms from C to itself. (E.g. If C is an elliptic curve, then 

Isom(C) contains translation maps and [+1].) Let ® be a finite subgroup of 

Isom (C). 

(a) Prove that there exists a unique smooth curve C’/K and a finite separable 
morphism ¢ : C > C’ such that *K(C’) = K(C)®. (Here K(C)® denotes the 
subfield of K(C) fixed by ©, where an element a€® acts on K(C) by 
a*:K(C) > K(C)) 

(b) Let PEC. Prove that 


ep(d) = #{aeD:aP = P}. 


(c) Prove that ¢ is unramified if and only if every non-trivial element of ® has 
no fixed points. 

(d) Express the genus of C’ in terms of the genus of C, #®, and the fixed points 
of the elements of ®. 

(e)* Suppose that C is defined over K, and that ® is Gg),-invariant. (Le. Ifae®, 
then «’ €@® for all o € Gg,x.) Prove that it is possible to find a C’ so that C’ 
and ¢ are defined over K. Further, show that C’ is then unique up to 
isomorphism over K. 


Use the non-degeneracy of the Weil pairing to give a quick proof that the map 
Hom(E,, E,) > Hom(T,(E,), T(E2)) 
is injective. (Note this is not as strong as (7.4).) 


Let ¢:E,—~E, be an isogeny of degree m, with m prime to char(K) if 
char(K) > 0. 
(a) Mimic the construction in section 8 to construct a pairing 


ég:ker ¢ x ker d > p,. 


(b) Prove that e, is bilinear, non-degenerate, and Galois invariant. 
(c) Prove that ey is compatible, in the sense that if y:E, > E, is another 
isogeny, Peker(w 0 ¢), and Qeker(@), then 


Cyog(P; Q) = ey (OP, Q). 
Alternative Definition of the Weil Pairing. Let E be an elliptic curve. We define a 
pairing 
é,:E[m] x E[m] > up, 


as follows: Let P, Q€ E[m], and choose divisors Dp, Dg in Div°(E) which add to 
P and Q respectively. (Ie. o(Dp) = P and o(Dg) = Q, where a is as in (3.4a).) We 
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3.18. 


3.20. 
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further assume that Dp and Dg are chosen with disjoint supports. Since P and Q 
have order m, there are functions fp, fo ¢ K(E) such that 


div(fp)=mDp and div(fg) = mDg. 
Then we define 
en(P, Q) = Sp(Do)/fo(Dp).- 


(See exer. 2.10 for the definition of the value of a function at a divisor.) 

(a) Prove that é,,(P, Q) is well-defined. 

(b) Prove that @,,(P, Q)€pn- 

(c)* Prove that é,, = €,,, where e,, is the Weil pairing defined in section 8. [Hint: 
Use Weil reciprocity, exer. 2.11.] 


. Let & be a quaternion algebra. Show that ¥ is ramified at oo. [Hint: M,(R) 


contains zero-divisors. ] 


Let E/K be an elliptic curve, and assume that # = End(E) @ Q is a quaternion 

algebra. 

(a) Prove that if p 4 00 and p # char(K), then & splits at p. [Hint: Use (7.4).] 

(b) Prove that char(K) > 0. [Hint: Use exer. 3.17 and (9.5a).] 

(c) Prove that % is the unique quaternion algebra ramified at precisely oo and 
char(K). 

(d)* Prove that End(E) is the maximal order in %. (Le. The integral closure of 
Zin &.) 


. Let # be a quaternion algebra. 


(a) Show that # @ Q = M,(Q). 

(b) Show that # @ # = M,(Q). (This proves that #% has order 2 in Br(Q).) 
(Hint: First show that # ®@ 1% is simple (i.e. has no two-sided ideals.) Then 
prove that the map 


HK @H End”),  a@b—>(x—axb) 
is an isomorphism. ] 


Let % be a quadratic imaginary field with ring of integers 0. Show that the 
orders of ¥ are precisely the rings Z + f@ for integers f > 0. The integer f is 
called the conductor of the order. 


. Let C/K be a curve of genus 1. For any point OeC, we can associate to the 


elliptic curve (C, O) its j-invariant j(C, O). This exercise sketches a proof that the 
value j(C, O) is independent of the choice of the basepoint O. Thus we can assign 
a j-invariant j(C) to any curve C of genus 1. (We assume that char(K) # 2. The 
result is still true for char(K) = 2, but the method of proof must be modified and 
the ensuing algebra is more complicated.) 

(a) Choose a Legendre equation 


y? = x(x — 1)(x — A) 


for the elliptic curve (C, O). Show that the map x: C > P' has degree 2 and 
is ramified exactly over the points {0, 1, A, 00}. 
(b) Let O’eC be another point, and choose a Legendre equation 


w? = 2(z — 1)(z— ») 
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3.22. 


3.24. 


for (C, O’). Let t: C + C be the translation-by-O’ map on the elliptic curve 
(C, O). Show that there are constants ae K and be K* such that 71*(z) = 
a + bx. [Hint: Look at the divisor of t*(z).] 

(c) Let f: P’ + P* be the map f(t) = a + bt. Prove the f maps the set {0, 1, A} 
bijectively to the set {0, 1, u}. [Hint: Compare the ramification of the maps 
zotand fox.] 

(d) Show that 


et EIS AAA ey 


[ Hint: Consider the six ways of matching {0, 1, A} with {0, 1, y}.] 

(e) Deduce that j(C, O) = j(C, 0’). [Hint: Show that the formula for j(E,) in 
(1.7b) does not change if A is replaced by any of the six expressions given 
in (d).] 


Let C be a curve of genus 1 defined over K. 

(a) Prove that j(C)e K. 

(b) Prove that C is an elliptic curve over K if and only if C(K) # @. 

(c) Prove that C is always isomorphic (over K) to an elliptic curve defined over 
K. 


. Deuring Normal Form. The following normal form for a Weierstrass equation is 


sometimes useful when dealing with elliptic curves over (algebraically closed) 

fields of arbitrary characteristic. 

(a) Let E/K be an elliptic curve, and assume that either char(K) # 3 or j(E) # 0. 
Prove that E has a Weierstrass equation over K of the form 


E:y?+axy+y=x3, aeK. 


(b) For the Weierstrass equation given in (a), show that (0, 0)¢ E[3]. 
(c) For what value(s) of « is the equation singular? 
(d) Verify that 
HE) = o(a> — 24)3 (a> — 27). 
Let E/K be an elliptic curve with complex multiplication over K (i.e. End,(E) is 
strictly larger that Z.) Prove that for all primes ¢ # char(K), the action of Ggx 


on the Tate module 7/(E) is abelian. [Hint: Use the fact that the non-trivial 
endomorphisms in End,(E) commute with the action of Gg,x.] 


CHAPTER IV 
The Formal Group of an Elliptic Curve 


Let E be an elliptic curve. In this chapter we start by studying an “in- 
finitesimal” neighborhood of E centered at its origin O. In other words, we 
look at the local ring K[E] 9, and take the completion of this ring at its 
maximal ideal. This leads to a power series ring in one variable, say Kz], for 
some uniformizer z at O. We can then express the Weierstrass coordinates x 
and y as formal Laurent power series in z. Further, we can write down a 
power series F(z,, 2,)€ K[[z,, Z2]| which formally gives the group law on E. 
Such a power series, which might be described as a “group law without any 
group elements”, is an example of a formal group. In the remainder of the 
chapter we study in some detail the principal properties of arbitrary (one- 
parameter) formal groups. The advantage of suppressing all mention of the 
elliptic curve which motivated this study in the first place is that working 
with formal power series tends to be fairly easy. Then, of course, having 
obtained results for arbitrary formal groups, we can apply them in particular 
to the formal group associated to our original elliptic curve. 


§1. Expansion around O 

In this section we investigate the structure of an elliptic curve and its addition 
law “close to the origin”. To do this it is convenient to make a change of 
variables, so let 


1 1 
p23 and w= -—- (s0 x= Zand y= -*). 
y y w w 


The origin O on E is now the point (z, w) = (0, 0), and z is a local uniformizer 
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at O (i.e., z has a zero of order 1 at O.) The usual Weierstrass equation for E 
becomes 


w = 2° + a,zw + a,2z7w + aw? + agzw? + agw° (= f(z, W)). 


The idea now is to substitute this equation into itself recursively so as to 
express w as a power Series in z. Thus 


w =z? + (a,z + a,27)w + (a3 + a4z)W? + agw? 
= 23 + (a,z + a,2z7)[z? + (a,z + a,27)w + (a3 + a4z)W? + agw?] 
+ (a3 + a4z)[z? + (a,z + a2z7)w + (a; + a4z)w? + agw>]? 


+ ag[z> + (a,z + a,2”)w + (a3 + a4z)w? + agw?]? 


= 29 + a,z* + (at + ap)2° + (a} + 2a,a, + a3)2° 
+ (at an 3aza, + 3a, a; + az + a4)z’ foe 
= 23(1 + A,z+ A227 +°"'), 


where A,€ Z[a,,..., 4g] is a polynomial in the coefficients of E. Of course, 
we must show that this procedure actually converges to a power series 
w(z)€Z[a,,..., a¢][z], and naturally we want the equality 


w(z) = f(z, w(z)) 


to hold in the power series ring. 
To more precisely describe the algorithm for producing w(z), define a 
sequence of polynomials by 


Si(z, w) = F(z, w) and Finsi(Z, w) a FimnlZs F(Z; w)). 
Then we take 
w(z) = Lim f,,(z, 0) 


provided this limit makes sense in Z[a,, ..., 46] [z]. 
Proposition 1.1. (a) The procedure described above gives a power series 
w(z) = 23(1 + A,yz + Agz? +°°*)eEZ[ay,..., a6] [z]. 
(b) w(z) is the unique power series satisfying 
w(z) = f(z, w(2)). 
(c) If Z[a,,..., a5] is made into a graded ring by assigning weights wt(a;) = i, 


then A,, is a homogeneous polynomial of weight n. 


Proor. Parts (a) and (b) are really special cases of Hensel’s lemma, which we 
prove below (1.2). To prove the present proposition, use (1.2) with 


112 IV. The Formal Group of an Elliptic Curve 


R=2Z[a,,..., a6] [2], I =(z), 
F(w) = f(z, w) — w, a=0, a=. 
Finally, to prove (c) we assign weights to z and w, 
wt(z)= —1 and wt(w)= —3. 


Then one sees that f(z, w) is homogeneous of weight —3 in the graded ring 
Z[a;,...,4¢,2Z,w], hence by an easy induction so is every f,,(z, w). In 
particular, 


Sn(Z, 0) = 2°(1 + Byz + Bz? +++ + By2") 


is homogeneous of weight —3, so each B, is homogeneous of weight n in 
Z[a,,..., ag]. Hence the A,’s have the same property, since f,,(z, 0) converges 
to w(z) as m > 00. Oo 


Lemma 1.2 (Hensel’s Lemma). Let R be a ring which is complete with respect 
to some ideal I < R, and let F(w)e R[w] be a polynomial. Suppose that ac R 
satisfies (for some integer n > 1) 


F(ajeI" and F'(ajeR*. 
Then for any aéR satisfying « = F'(a) (mod I), the sequence 
Wo =a Watt = Wm — F(W,,)/o 
converges to an element be R satisfying 
F(b)=0 and b=a(mod 1"). 


If R is integral domain, then these conditions determine b uniquely. 

(We remark that Hensel’s lemma is usually proven for complete local rings, 
and generally one uses Newton’s iteration w,,4; = Wm — F(W,)/F'(w,). For 
this reason, we include a quick proof of (1.2).) 


Proor. To ease notation, we replace F(w) by F(w + a)/a, so we are now 
dealing with the recursion 
Wo = 0, Fel", F'(0) = 1 (mod J), Wntt = Wm — F (Wa). 


Since F(0)eI", it is clear that if weI", then w — F(w) is also in I”. It follows 
that 


Ww, El" for all m > 0. 
We now show by induction that 
Wn = Wy. (mod I™*") — for all m > 0. 


For m = 0, this just says F(0) = 0 (mod I"), which is one of our initial as- 
sumptions. Assume now that this congruence is true for all integers less than 
m. Let X and Y be new variables, and factor 
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F(X) — F(Y) = (X — Y)(F'(0) + XG(X, Y) + YH(X, Y)) 
with polynomials G, He R[X, Y]. Then 
Wnt1 — Wn = (Wr = F (Wm) a (Wn—1 — F(Wn—1)) 
= (Win — Wm—1) = (F(Wp) _ F(Wn-1)) 
= (Wm — Wm—1) [1 — F'(O) — Wa G(Wns Wm—1) 
= m1 (Wa, Wm-1) ] en. 
Here the last line follows from the induction hypothesis and the fact that 
F'(0) = 1 (mod J) and w,,, W,—, €1". This proves that w,, — Wm-; €/™*" for all 
m>0. 

Since R is complete with respect to I, it follows that the sequence w,, 
converges to an element be R; and since every w,,e€I", bel" also. Further, 
taking the limit of the relation w+; = W,— F(w,) aS m—oo yields 
b = b — F(b), so F(b) = 0. 

Finally, to show uniqueness (under the assumption that R is an integral 
domain), suppose that also ceJ" and F(c) = 0. Then 


0 = F(b) — F(c) = (b — c)(F'(0) + bG(b, c) + cH(b, 0). 


Ifb 4c, then F'(0) + bG(b, c) + cH(b, c) = 0. But bG(b, c) + cH(b, c)eEl, so it 
would follow that F’(0)e/. This contradiction shows that b = c. Oo 


Using the power series w(z) from (1.1), we find Laurent series for x and y, 


Zz 1 oa 
x(2) = —~ = 5 — + — ay — 32 — (a4 + aya3)2? — + 
w(z) z Zz 
—1 1 a, a, 
V2) eS gh oy eg Og F Gy ag)er 
w(z) Zz Zz iz 


Similarly the invariant differential has an expansion 
co(z) = (1 + ayz + (a2 + ay)2z? + (a? + 2a,a, + a3)z° 
+ (at + 3a%a, + 6a,a3 + a3 + 2a,)z* +--+) dz. 


We note that the series x(z), y(z), and w(z) have coefficients in Z[a,,..., dg]. 
This is clear for x(z) and y(z); while for w(z) it follows from the two 
expressions 


a(z) dx(z)/dz —2773 4: : 
= = Z int 
Eo hast Se a6] [z] 
a(z) dy(z)/dz _ 324 4: 


= ge aN eR reac a zi, 
dz 3x*4+2a,x+a,-a,y 32 44°": [3 a1 ll] 


which show that any denominator is simultaneously a power of 2 and a 
power of 3. 
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Now the pair (x(z), y(z)) provides a “formal solution” to the Weierstrass 
equation 


E:y? + ayxy + a3y = x? + a,x? + agx + a; 


that is, a solution in the field of formal power series. If E is defined over a field 
K, we might try to produce points of E by taking ze K and looking at 
(x(z), y(z)). In general, there is no obvious way to attach a meaning to an 
infinite series such as x(z). But if K is a complete local field with ring of 
integers R and maximal ideal .Z, and if the coefficients satisfy a;e R, and if 
zé.M, then the power series x(z) and y(z) will converge to give a point of 
E(K). This gives an injection (the inverse is z = —x(z)/y(z)) 


M — E(K), 


and it is easy to characterize the image as those (x, y) with x" e.@. This map 
will be a key tool when we study elliptic curves over local fields in chapter 
VII. 

Returning now to formal power series, we look for the power series for- 
mally giving the addition law on E. Thus let z,, z, be independent indetermi- 
nates, and let w, = w(z,) for i = 1, 2. In the (z, w)-plane, the line connecting 
(z,, W,) to (z2, w,) has slope 


Wa-W, SB , 23-24 
A= Mz, 22) = >= : E€Z[a,,..., a6] 21, 2]. 
1 


2741 0 e300 22 — 
Note that 4 has no constant or linear term. Letting 
v = W(Z1, 22) = w, — Az, EZ[a,,..., ag] 21, 22], 


the connecting line has equation w = Az + v. Substituting this into the 
Weierstrass equation gives a cubic in z, two of whose roots are z, and zy. 
Looking at the quadratic term, we see that the third root (say z3) can be 
expressed as a power series in z, and z,, 


23 = 23(Z,, 22) 

a, + a,d? — anv — 2agdv — 3a, h?v 
1+a,4+.a,/? +a,A3 

EZ[ay,,..., &6][21, 22]. 


For the group law on E, the points (z,, w,), (22, W2), (Z3, W3) add up to zero. 
Thus to add the first two, we need the formula for the inverse. In the (x, y)- 
plane, the inverse of (x, y) is (x, —y — a,x — a). Hence the inverse of (z, w) 
will have z-coordinate (remember z = —x/y) 


x(z) z*—az i: 
= Z[ay,..., ; 
y(z) + a,x(2)+ a, —23+2a,224°"— Las all] 


i(z) = 


This gives the formal addition law 
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F(21, 2) = i(23(21, Z2)) 
= 24 +29 — G42422 — A,(2}22 + 2123) 
eg (2a,232, aa (a,a, = 3a3)z723 + 2a52,23) + cae 
eZ{[a,,..-, a6] [21, 22). 
From the corresponding properties for E we deduce that F(z,, 22) satisfies 
F(Z, 22) = F(Z, 21) (commutativity) 
F(z,, F(Z, 2)) = F(F(24, 2), 2) (associativity) 

F(z, i(z)) =0 (inverse). 

The power series F(z,, Z,) might be described as “a group law without any 
group elements”. Such objects are called formal groups. We could now con- 
tinue with the study of the particular formal group coming from our elliptic 
curve, but since it is little more difficult to analyze arbitrary (one-parameter) 
formal groups, and in fact the abstraction tends to clarify the situation, we 


will take the latter approach. The reader should, however, keep the example 
of an elliptic curve in mind when reading the rest of this chapter. 


§2. Formal Groups 
Let R be a ring. 


Definition. A (one-parameter commutative) formal group F defined over R is a 
power series F(X, Y)e R[X, Y] satisfying: 


(a) F(X, Y) = X + Y + (terms of degree > 2). 

(b) F(X, F(Y, Z)) = F(F(X, Y), Z) (associativity). 

(c) F(X, Y) = F(Y, X) (commutativity). 

(d) There is a unique power series i(T)¢R[T] such that F(T, i(T)) =0 
(inverse). 

(ec) F(X, 0) = X and F(0, Y) = Y. 


We call F(X, Y) the formal group law of ¥. 
Remark 2.1. It is in fact easy to show that (a) and (b) imply (d) and (€) (exer. 


4.1). It is also true that (a) and (b) imply (c) provided that R has no torsion nil- 
potents (see exer. 4.2b), but we will only prove this below if char(R) = 0. 


Definition. Let (¥, F) and (G, G) be formal groups defined over R. A homo- 
morphism from ¥ to GY defined over R is a power series (with no constant 
term) f(T)e R[T ] satisfying 


SFX Y)) = GF), FY). 
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¥ and F are isomorphic over R if there are homomorphisms f: ¥ > Y and 
9:9 > defined over R with 


F(9(T)) = g(f(T)) = T. 


Example 2.2.1. The formal additive group, denoted G,, is given by 
F(X, Y)=X4+Y. 


Example 2.2.2. The formal multiplicative group, denoted G,,,, is given by 
F(X, Y)=X4+Y+XY=(1+ X)14+ YY-1. 
Example 2.2.3. Let E be an elliptic curve given by a Weierstrass equation 
with coefficients in R. The formal group associated to E, denoted E, is given 
by the power series F(z,, z,) described in section 1. 
Example 2.2.4. Let (¥, F) be a formal group. We can define homomorphisms 
[m]:F% ~F 


inductively for me Z by 


[0}(T)=0 = [m+ 1](T) = F([m](T), T) 
[m — 1](T) = F([m](T), i(T)). 


One easily checks (by induction) that [m] is a homomorphism. We call [m] 
the multiplication-by-m map. The following elementary proposition, which 
explains when [m] is invertible, will be of great importance. (The progression 
is (2.3) => (3.2b) > (VII.3.1), and the latter provides a key fact for the proof of 
the weak Mordell—Weil theorem (VIII.1.1).) 


Proposition 2.3. Let F be a formal group over R, and let me Z. 


(a) [m](T) = mT + (higher order terms). 
(b) If me R*, then [m]: ¥ — F is an isomorphism. 


ProoF. (a) For m 2 0 this is a trivial induction using the recursive definition 
of [m] and the fact that F(X, Y) = X + Y +-::. Then, from 


0= F(T, i(T)) = T+ i(T)+°---, 


we see that i(T) = —T + ---; and now the downward induction for m < 0 is 
also clear. 

(b) This follows from (a) and the following lemma, which we will have 
occasion to use several times. oO 


Lemma 2.4, Let ae R* and f(T)€R[T ] a power series starting 
f(T) =aT+:. 
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Then there is a unique power series g(T)€R[T]] such that f(g(T)) = T. It 
further satisfies g(f(T)) = T. 


ProoF. We construct a sequence of polynomials g,(T)¢ R[T ] satisfying 
f(9.(T)) = T (mod T"*") and g,41(T) = g,(T) (mod T"*?). 


Then g(T) = Lim g,(T) exists and clearly satisfies f(g(T)) = T. 
To start the induction, let g,(T) = a~'T. Now suppose g,_,(T) has been 
constructed. We look for Ae R so that 


Gn(T) = Gn—1(T) + AT” 
has the desired property. We compute 
F(9n(T)) = f(Gn-1(T) + AT") 
= f(Gn-1(T)) + aAT" (mod T"*") 
=T+bT"+aiT" (mod T""’) 


for some be R by the induction hypothesis. It thus suffices to take 4 = —b/a, 
which is in R because ae R*. This shows that g(T) exists. 

Next, applying g to f(g(T)) = T gives g(f(g(T))) = g(T). This is an iden- 
tity in the power-series ring R[_g(T)], so g(f(T)) = T. Finally, if f(h(T)) = T, 
then 


AT) = g(f(A(T)) = (g of (A(T)) = A(T), 
which shows that g(T) is unique. fs 


§3. Groups Associated to Formal Groups 


In general a formal group is merely a group operation, with no actual under- 
lying group. But if the ring R is local and complete, and if the variables are 
assigned values in the maximal ideal of R, then the power series giving the 
formal group will converge. In this section we give some basic facts about the 
resulting group. The following notation will be used: 


R a complete local ring 

M the maximal ideal of R 

k the residue field R/.Z 

F a formal group defined over R, with formal group law F(X, Y). 


Definition. The group associated to ¥/R, denoted F(.M), is the set M with 
the group operations 
x Og y = F(x, y) (addition) for x, yE.%, 


Ogx = i(x) (inverse) for xe. 
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Similarly, for n > 1, F(#") is the subgroup of F(Z) consisting of the set 4". 

Since R is complete, the power series F(x, y) and i(x) converge in R for 
x, ye.M; and then the axioms for a formal group immediately imply that 
F(M) is a group and F(.4") a subgroup. 


Example 3.1.1. The additive group G,(/) is just .@ with its usual addition 
law. Notice the exact sequence (of additive groups) 


0-G6,(M > R>k=0. 


Example 3.1.2. The multiplicative group G,,() is the group of 1-units (i.e. 
1 + .@) with its usual multiplication. Notice we again have an exact sequence 


0>6,,(M > R* > k* 50. 


Example 3.1.3. Let £ be the formal group associated to an elliptic curve E/K 
(2.2.3), where K is the quotient field of R. As we noted in section 1, the power 
series x(z) and y(z) give a map 


M — E(K) 
z — (x(2), y(z)). 


From the way the power series for £ was defined, this map gives a homo- 
morphism of E(.@) to E(K). As we will see in chapter VII, there is often an 
exact sequence 


0 > E(.@) > E(K) > E(k) > 0, 
where E is a certain elliptic curve defined over the residue field k. In this way 


the study of E(K) is reduced to the study of the formal group E and the study 
of an elliptic curve over a smaller (so hopefully simpler) field. 


Proposition 3.2. (a) For each n > 1, the map 
F (MF (M"*) ais M"|M"** 


induced by the identity map on sets is an isomorphism of groups. 

(b) Let p be the characteristic of k (p =0 is allowed). Then every torsion 
element of F(M) has order a power of p. (See section 6 for a more precise 
description.) 


ProorF. (a) Since the underlying sets are the same, it suffices to show that the 
map is a homomorphism. But for x, ye.Z", 


XOgy=F(x,y)=xtyto™ 
=x + y(mod .4"). 


(b) We give two proofs of this important fact. Multiplying an arbitrary tor- 
sion element by an appropriate power of p, it suffices to prove that there are 
no non-zero torsion elements of order prime to p. Thus let m > 1 be prime to 
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p (arbitrary if p = 0) and xe F(Z) an element with [m](x) = 0. We must 
show x = 0. 

First, since m is prime to p, we see that m¢.@. Hence from (2.3b), [m] is an 
isomorphism of the formal group ¥/R to itself, so it induces an isomorphism 
[m]: F(4) 3 F(M). 

In particular, it has trivial kernel, so x = 0. 

For the second proof, we assume that R is Noetherian. We show induc- 
tively that xe." for all n > 1, which implies x = 0 from Krull’s theorem 
(LA—M, Corollary 10.20]). By assumption, xe.@. Suppose xe.@". Look at 
the image X of x in F(.W")/F(.4"*"). On the one hand, x has order dividing 
m. On the other hand, F(.4")/F(@"*") has only p-torsion, since from (a) it is 
isomorphic to the k vector space .@"/.M"*'. Hence x = 0, so xe.&@"*! as 
desired. 0] 


§4. The Invariant Differential 


We return to the study of a formal group ¥ defined over an arbitrary ring R. 
In such a formal setting, a differential form is simply an expression P(T)dT 
with P(T)e€ RT]. Of particular interest are those differential forms which 
respect the group structure of F. 
Definition. An invariant differential on F/R is a differential form 

w(T) = P(T)dTeER[T] dT 
satisfying 

0 F(T, S) = @(T). 

{In other words, satisfying 

P(F(T, S))Fx(T, S) = P(T), 
where F,(X, Y) is the partial derivative of F with respect to the first variable. ] 
An invariant differential as above is said to be normalized if P(0) = 1. 


Example 4.1.1. On the additive group G,, an invariant differential is w = dT. 


Example 4.1.2. On the multiplicative group G,,, an invariant differential is 
o=(1+ T)'dT=(1—T+ T? —:::)dT. 
Proposition 4.2. Let F/R be a formal group. There exists a unique normalized 
invariant differential on F/R, given by the formula 
w = F,(0, T)*4T. 


Every invariant differential on F /R is of the form aw for some ae R. 
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Proor. Suppose P(T)dTis an invariant differential on ¥/R. Thus 
P(F(T, S))Fx(T, S) = P(T). 
Putting T = 0 (remember F (0, S) = S) gives 
P(S)F,(0, S) = P(0). 


Since F,(0, S) = 1+. ---, we see that P(T) is determined by P(0), and every 
possible invariant differential is of the form aw with ae R and 


co(T) = F,(0, T)~* aT. 


Since this @ is normalized, it only remains to show that it is invariant. 
Thus we must show that 


F,(0, F(T, S))7'F,(T, S) = F,(0, T)?. 
To prove this, differentiate the associative law 
F(U, F(T, S)) = F(F(U, T), S) 
with respect to U to obtain (chain rule!) 
F,(U, F(T, S)) = Fy(F(U, T), S)Fy(U, T). 

Now putting U = 0 (note F(0, T) = T) yields 

F,(0, F(T, S)) = Fx(T, S)Fx(0, T), 
which is the desired result. oO 
Corollary 4.3. Let ¥, G/R be formal groups with normalized invariant dif- 
ferentials wg, wg. Let f: ¥ >G be a homomorphism. Then 

ogof = f'Oag. 
(Here f’(T) is the formal derivative of the power series, obtained by differen- 
tiating f(T) term by term.) 
Proor. Let F(X, Y), G(X, Y) be the formal group laws for ¥ and Y. We 
verify that wg o f is an invariant differential on F: 
ag 0 f(F(T, S)) = w¢(G(f(T), f(S))) since f is a homomorphism 

= Wg 0 f(T) since wg is invariant for G. 

Hence from (4.2), wg o f equals awgz. Comparing initial terms gives a = f’(0). 


O 


Corollary 4.4. Let F/R be a formal group and péZ a prime. Then there are 
power series f(T), g(T)€R[T ] such that 


[p](T) = pf (T) + 9(T”). 
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ProorF. Let w(T) be the normalized invariant differential on ¥. From (2.3a) 
we have [p]'(0) = p, so (4.3) implies that 


po(T) = wo[p](T) = (1 + ---)[p (1) aT. 


Since the series (1+--:) is invertible in R[T], it follows that 
[p]'(T)epR[T]; hence every term aT" in the series [p](T) satisfies either 
aepR or p|n. C 


Example 4.5. Let E be the formal group associated to an elliptic curve (2.2.3). 
Then in terms of the coefficients of a Weierstrass equation for E, one finds 
[2](T) = 2{T —a,T? +-+-} + {-a,T? + (aya, — 7a3)T* + --*}, 
[3](T) = 3{T — a, T? + (4aa, — 13a3)T* +--+} + {(a} — 8a,)T? + °°}. 


§5. The Formal Logarithm 


By integrating an invariant differential, one might hope to obtain a homo- 
morphism to the additive group. Unfortunately, integration tends to intro- 
duce denominators, but at least in characteristic 0 we can proceed fairly well. 


Definition. Let R be a ring of characteristic 0, K = R © Q, and ¥/R a formal 
group. Let 

o(T)=1+¢c,T+c,T? +¢,T? +°:-dT 
be the normalized invariant differential on #/R. The formal logarithm of 


F /R is the power series 


logs(T) = fon =T4+ 377427? +--eK[T]. 


The formal exponential of F/R is the unique power series expg(T)e K[T] 
satisfying 


logg oexpg(T) = expg ologg(T) = T. 


(Note expg exists and is unique from (2.4).) 


Example 5.1. The formal group law and invariant differential of the formal 


a 


multiplicative group ¥ = G,, are 
Fg(X,Y)=X+Y+XY and w¢(T)=(1+ T) "dT. 


Thus its formal logarithm and exponential are given by 


logs(T) = fa 4 T) dT = ¥ (-1" Tn 
n=1 
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and 
expg(T) = >) T"/n!. 
n=1 


(Remember that the “identity” is at T = 0, so in terms of the usual series these 
series are log(1 + T) and e7 — 1.) 


Proposition 5.2. Let ¥/R be a formal group with char(R) = 0. Then 
logg: F >G, 
is an isomorphism of formal groups over K = R @ Q. (N.B. Due to the de- 
nominators in logg, it is not in general an isomorphism over R.) 
Proor. Let w(T) be the normalized invariant differential on F/R. Thus 
(F(T, S)) = o(T). 
Integrating this with respect to T gives 
logg F(T, S) = logg(T) + f(S) 


for some “constant of integration” f(S)¢ K[S]. Taking T = 0 shows that 
f(S) = logg(S), which proves that logg is indeed a homomorphism. Its 
inverse is expg, So logg is an isomorphism. oO 


Application 5.3. Suppose R is a ring of characteristic 0 and F(X, Y)e R[X, Y] 
is a power series satisfying 


F(X, F(Y, Z)) = F(F(X, Y), Z), F(X, 0) = X, F(0O, Y)= Y. 
We note that in constructing the invariant differential, formal logarithm, and 
formal exponential, and in proving their basic properties, we used only these 


three facts about F(X, Y). Thus letting K = R © Q, we have shown the 
existence of power series log(T), exp(T) € KT ] such that 


F(X, Y) = exp(log(X) + log(Y)). 


In particular, we see that F(X, Y) = F(Y, X). In other words, every one- 
parameter formal group in characteristic 0 is automatically commutative. 
(For a more precise statement, see exer. 4.2b.) 


For certain applications it is useful to have a bound for the denominators 
appearing in log and exp. For the former, it is clear from the definition, while 


for the latter we use the following calculation. 


Lemma 5.4. Let R be a ring with char(R) = 0, and let 


be a power series with a,€R and a, € R*. Then the unique power series satisfy- 
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ing f(g(T)) = T (cf. 2.4) can be written 


2 b 
T)= >} —*T 
g(T) ae 
with b,,€ R. 


ProoF. Differentiating f(g(T)) = T gives 
S(G(T))g'(T) = 1; 


so evaluating at T = 0 shows that 
by = 9'(0) = 1/f'(0) = 1/a, € R*. 
Differentiating again yields 


F'(G(T))9"(T) + f'"(G(T)) 9 (TY = 0 


Now repeated differentiation will show that for every n > 2, f'(g(T))g(T) 
can be expressed as a polynomial (with integer coefficients) in the variables 
fQG(T)), 1 <i<n, and g(T), 1<j<n—1. Hence evaluating at T=0 
expresses a, b, as a polynomial in a,,..., a,, b,,..., b,-,. Since a,, b, € R*, an 
easy induction now shows that every b,€ R. oO 


Proposition 5.5. Let R be a ring with char(R) = 0, and let F/R be a formal 
group. Then 


logs(T) = 3° T" and expg(T)= yar 


car 
with a,, b,ER and a, = b, = 


Proor. The expression for logg follows directly from the definition, and then 
the above lemma (5.4) shows that expg has the desired form. Ol 


§6. Formal Groups over Discrete Valuation Rings 


Let R be a complete local ring with maximal ideal .@, and let #/R be a 
formal group. As we have seen (2.2b), the associated group F() has no 
torsion of order prime to p = char(R/.#). We now analyze more closely the 
p-primary torsion for the case of discrete valuation rings. 


Theorem 6.1. Let R be a discrete valuation ring which is complete with respect 
to its maximal ideal M, let p = char(R/.@), and let v be the valuation on R. Let 
¥/R be a formal group, and suppose that x € ¥() has exact order p" for some 
n > 1. (Le. [p"](x) = 0 and [p""1](x) 4 0.) Then 


v(x) <— WP) 2 


Pp —P 
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Proor. The statement is automatic (and uninteresting) if char(R) #0 or 
p = 0, since then v(p) = oo. We assume this is not the case. From (4.4), we 
know that 


[p](T) = f(T) + g(T”); 


and from (2.3a), f(T) = T + -::. We prove the theorem by induction on n. 
Suppose x # 0 and [p](x) = 0. Thus 


0 = pf(x) + g(x’). 


Since R is a discrete valuation ring, the only way that the leading term of 
pf(x) can be eliminated is to have 


v(px) > v(x?). 
Hence 
v(p) > (p — 1)o(x), 


which proves the theorem for n = 1. 
Now assume that the theorem is true for n, and let xe F(M) have exact 
order p"*!. Then 


v([p](x)) = v(pf(x) + g(x?)) 
> min {v(px), v(x?)}. 
But [p](x) has exact order p", so by the induction hypothesis 
v(p)/(p" — p" *) > v(Lp] (x)). 
Therefore 
v(p)/(p" — p®"*) > min {v(px), v(x?)}. 
But since v(x) > 0 and n > 1, it certainly is not possible to have 
v(p)/(p" — p"*) > v(px). 
We conclude that 
v(p)/(p" — p**) > v(x?) = p(x), 
which is exactly the desired result. O 


Example 6.1.1. Let ¥ be a formal group defined over Z,, the ring of p-adic 
integers. If p > 3, then (6.1) says that F(pZ,) has no torsion at all; and even 
for p = 2 it has at most elements of order 2. The same holds for the ring of 
integers in any finite unramified extension of Q,. For a general finite exten- 
sion, the determining factor is the ramification degree (which equals v(p) if 
one takes a normalized valuation.) 


Next we show that ¥(.4) has a large piece that looks like the additive 
group. The idea is to use the formal logarithm to define the map, but the 
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presence of denominators means that convergence is no longer automatic. 
The following two lemmas will thus be useful. 


Lemma 6.2. Let v be a valuation and pe Z a prime with O < v(p) < oo. Then for 
all integers n > 1, 


v(n!) < 


(n — 1)v(p) 
pay *- 


Proor. We compute 


v(n!) = ¥(5 Joe )< = a 


i= 


nv(p) 


= are p lesen) < < (n = 1)v(p) : 


p-1 


Lemma 6.3. Let R be a ring of characteristic 0, complete with respect to a 
discrete valuation v, and let pe Z be a prime with v(p) > 0. 
(a) Let f(T) be a power series of the form 


(nH=F aT T" with a,eR. 
n=1 
If xER satisfies v(x) > 0, then the series f(x) converges in R. 
(b) Let g(T) be a power series of the form 
a) 
g(T)= ¥ cae with b,€R and b,€R*. 
n=1 N: 


If xeER satisfies v(x) > v(p)/(p — 1), then the series g(x) converges in R, and 
v(g(x)) = v(x). 


ProoF. (a) For a general term of f(x), we have 
v(a,x"/n) > nv(x) — v(n) since a,ER 
2 nv(x) — (log, n)v(p); 


and this last expression goes to oo as n goes to oo. Since v is non- 
archimedean, f(x) converges. 
(b) For a general term of the series g(x), we have 


v(b,x"/n!) > nv(x) — v(n!) since b,éR 


> nv(x) — (n — 1)v(p)(p — 1) from (6.2) 
= v(x) + (n — 1) {ots) att 
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Hence from the initial assumption on v(x), we have 
v(b,x"/n!) + 00 as n— oo, and 
v(b, x"/n!) > v(x) for n > 2. 


Since v is non-archimedean, the former implies that g(x) converges, and the 
latter shows that the leading term predominates. (Note v(b, x) = v(x).) Oo 


Theorem 6.4. Let K be a field of characteristic 0, complete with respect to a 
normalized discrete valuation v (i.e. v(K*) = Z), R the valuation ring of K, M 
the maximal ideal of R, and peZ a prime with v(p) > 0. Let F/R be a formal 
group. 
(a) The formal logarithm induces a homomorphism 

logg: F(M)-K (taken additively). 


(b) Let r > v(p)(p — 1) be an integer. Then the formal logarithm induces an 
isomorphism 


logg: F(M) 3G (M). 


ProoF. (a) Since 
logg F(X, Y) = loggX + logg Y 


as power series (5.2), it suffices to prove that logg(x) converges for xe.@. 
This follows from (5.5) and (6.3a). 

(b) Similarly, since logg and expg give inverse homomorphisms as power 
series (5.2), it suffices to show that for xe.#@', both logg(x) and expg(x) 
converge and are in .4@”. This follows immediately from (5.5) and (6.3b). (Note 
that since v is normalized, x¢.’ is equivalent to v(x) > r.) oO 


Remark 6.5. If r > v(p)/p — 1, then (6.4) implies that F(Z’) is torsion free, 
since G,(.M’) certainly is. We thus recover the n = 1 case of (6.1). 


§7. Formal Groups in Characteristic p 
For this section we let R be a ring of characteristic p > 0. 


Definition. Let F, Y/R be formal groups and f: F3Ga homomorphism 
defined over R. The height of f, denoted ht(f), is the largest integer h such 
that 


S(T) = g(T”) 


for some power series g(T)e€ R[T ]. (If f = 0, then ht(f) = 00.) The height of 
F, denoted ht(F), is the height of the multiplication by p map [p]: F¥ > F. 
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Example 7.1. If m2 1 is prime to p, then ht([m]) =0, since [m](T) = 
mT +--- (2.3a). On the other hand, (4.4) implies that ht([p]) > 1, so the 
height of a formal group is always a positive integer. 


Proposition 7.2. Let ¥, Y/R be formal groups and f: ¥ > Y a homomorphism 
defined over R. 

(a) If f’(0) = 0, then f(T) = f,(T”) for some f,(T)eR[T]. 

(b) Write f(T) = g(T’”) with h = ht(f). Then g'(0) # 0. 


ProoF. (a) Let wg and wg be the normalized invariant differentials on FY and 
G. Then 


0= f'(0)wg(T) since f’(0) = 0 
= w¢(f(T)) from (4.3) 
=(1+°-:/)f'(T)daT. 


Hence f’(T) = 0, so f(T) = f,(T”). 

(b) Let q = p", and if F(X, Y) = Xa,,X'Y! is the power series for F, let F 
denote the formal group with group law F(X, Y) = Za},X'Y/. One easily 
checks that since char(R) = p, ¥™ is a formal group. We now show that g is 
a homomorphism from ¥™ to G. 


g(F(X, Y)) = g(F(S, T)) —s writing S¢ = X, T7 = Y 
= f(F(S, T)) 
= G(f(S), f(T)) since f is a homomorphism 
= G(g(S*), g(T)) 
= G(g(X), g(Y)). 


Hence if g'(0) = 0, then from (a) we would have g(T) = g,(T”). This would 
mean that 


f(T) = g(T”) = 9,(T””’), 
contradicting the fact that h = ht(f). Therefore g'(0) # 0. El 


Next we show that the height behaves well under composition. 
Proposition 7.3. Let F, Y, #/R be formal groups and 
FLG4H 
a chain of homomorphisms. Then 
ht(go f) = ht(f) + ht(g). 


PRooF. Write 
f(T) =f,(T"") and g(T)=9,(T?””). 
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Then 
gof(T) = g(f(Trryr”) = gi (A(T), 


where f, is obtained from f, by raising each coefficient to the p™® power. 
Since g, and f, have non-zero linear terms (7.2b), it follows that 


ht(gof) = ht(f) + ht(g). O 


Finally, we return to the study of elliptic curves, and relate the inseparable 
degree of an isogeny to the height of the corresponding map on the formal 
groups. 


Theorem 7.4. Let K be a field of characteristic p > 0, E,, E,/K elliptic curves, 
and ¢: E, > E, a non-zero isogeny defined over K. Further let f: E, > E, be 
the homomorphism of formal groups induced by ¢. Then 


degi(p) = pi”. 


Corollary 7.5. Let E/K be an elliptic curve. Then 
ht(£) = 1 or 2. 


Proor. We start with two special cases. 


Case 1. ¢ is the p’-power Frobenius map. Then deg;¢ = p’ (II.2.11), while 
S(T) = T”", so ht(f) =r. 


Case 2. ¢ is separable. Let w be an invariant differential on E,/K, and let 
w(T) be the corresponding differential on the formal group E,. Since ¢ is 
separable, we have ¢*@ # 0 (II.4.2c), so using (4.3), 


wof(T) = f'(O)a(T) £0. 


Hence f’(0) 4 0, so ht(f) = 0. 

Now from (II.2.12) every isogeny is the composition of a Frobenius map 
and a separable map. The theorem now follows from the above two cases and 
the fact that inseparable degrees multiply and heights add (7.3) under 
composition. 

The corollary is immediate on applying the theorem with ¢ = [p], since 
the map [p] has degree p? (III.6.4a). oO 


EXERCISES 
4.1. Let F(X, Y)eR[X, Y] be a power series satisfying 
F(X,Y)=X+Y+- and F(X, F(Y,Z)) = F(F(X, Y), Z). 


(a) Show that there is a unique power series i(T)€R[T] satisfying 
F(T, i(T)) = 0. 
(b) Show that F(X, 0) = X and F(0, Y) = Y. 
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4.2. 


4.3. 


4A. 


4.5. 


(a) Let R = F,[e]/(e”). Show that 
F(X, Y)=X+Y+exy? 


defines a “non-commutative formal group”. (Le. F satisfies all the properties 
of a formal group law except F(X, Y) = F(Y, X).) 

(b) Let R be a ring. Show that there exists a non-commutative formal group 
defined over R if and only if there is an ee R and integers m, n > 1 such that 
me = 6" =0. 


Let R be the ring of integers in a finite extension of Z, and let #/R be a formal 


group. 
(a) Show that for every xe F(.4), 


Limit [p"](x) = 0. 
(b) Show that for every ae€Z, there exists a unique homomorphism 
[o]: ¥ > F with 
[o](T) =aT +---eR[T]. 


Let R and F/R be as in (exer. 4.3), and let h be the height of the formal group 
over R/.M@ obtained by reducing modulo -@ the coefficients of the formal group 
law for ¥. Show that there is a finite extension R’ of R with maximal ideal 7’ 
such that the p-torsion in ¥(./’) is isomorphic to (Z/pZ)". [Hint: Use the p-adic 
version of the Weierstrass preparation theorem [La 8, Ch. 5, Thm. 11.2].] This 
provides an alternative proof of (7.5). 


Let E be the elliptic curve y? = x3 + Ax. 
(a) Let w(z) = XA,z" be the power series for E described in section 1. Prove that 


A, =90 unless n= 3(mod 4). 


(b) Let F(X, Y) = =F,(X, Y) be the formal group law for E, where F,(X, Y) isa 
homogeneous polynomial of degree n. Prove that 


F,=0 unless n= 1 (mod 4). 


(c) Prove the analogous statements for the curve y? = x? + A. 


Chapter V 
Elliptic Curves over Finite Fields 


In this chapter we study elliptic curves defined over a finite field. The most 
important arithmetic quantity associated with such a curve is its number of 
rational points. We start by proving a theorem of Hasse which says that if K 
is a field with q elements, and E/K is an elliptic curve, then E(K) contains 
approximately q points, with an error of no more than 2./¢. Following Weil, 
we then reinterpret and extend this result in terms of a certain generating 
function, the zeta-function of the curve. In the final two sections we study in 
some detail the endomorphism ring of an elliptic curve defined over a finite 
field, and in particular give the relationship between End(E) and the existence 
of non-trivial p-torsion points. The notation for chapter V is: 


K a perfect field of characteristic p > 0 


q a power of p 


§1. Number of Rational Points 


Let K be a finite field with q elements and let E/K be an elliptic curve. We 
wish to estimate how many points there are in E(K); or equivalently, one 
more than the number of solutions to the equation 


E:y? +a,xy + a3y = x? + a,x? + agx + 6 


with (x, y)eK. Since each value of x yields at most two values of y, a trivial 
upper bound is 2q + 1. But since a “randomly chosen” quadratic equation 
has a 50% chance of being solvable in K, one would expect the right order of 
magnitude to be q. The following theorem, conjectured by E. Artin in his 
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thesis and proved by Hasse in the 1930’s, shows that this heuristic reasoning 
is correct. 


Theorem 1.1. Let E/K be an elliptic curve defined over the field with q elements. 
Then 


| #E(K) —q—1|<2,/¢. 


Proor. Choose a Weierstrass equation for E with coefficients in K, and let 
@:E>E 
(x, y) > (x4, y’) 


be the q'*-power Frobenius morphism (III.4.6). Since the Galois group Ggjx is 
(topologically) generated by the q'*-power map on K, we see that for a point 
PeE(K), 


PeE(K)  ifandonlyif ¢(P)=P. 
Thus 
E(K) = ker(1 — 9), 
re) 
#E(K) = # ker(1 — 4) 
= deg(1—¢) — (II1.5.5 and II1.4.10c). 


(Note the importance of knowing that the map 1 — ¢ is separable.) Since the 
degree map on End(E) is a positive definite quadratic form (III.6.3), and 
deg ¢ = q (II.2.11c), the following version of the Cauchy—Schwarz inequality 
gives the desired result. oO 


Lemma 1.2. Let A be an abelian group and 
d:A-~Z 
a positive definite quadratic form. Then for all wy, dé A, 


\d(y — 9) — d(9) — dW) < 2\/d(@) dy). 


ProoF. For w, dé A, let 
Li, ¢) = dy — 9) — a() — a). 


By definition of quadratic form, L is bilinear. Since d is positive definite, we 
have for all m, ne Z, 


0 < d(myp — ng) = m?d(y) + mnL(y, ¢) + n° dig). 


In particular, taking 
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m= —L(,¢é) and n= 2d(p) 
yields 

0 < d(p) [4d(W) a) — L(y, ¢)’1. 
This gives the desired result provided y #0, while for y = 0 the original 
inequality is trivial. O 
Application 1.3. Let K = F, be a finite field with q odd. One can use Hasse’s 
result to estimate the value of certain character sums on K. Thus let 

f(x) = ax? + bx? + cx + deK[x] 
be a cubic polynomial with distinct roots (in K), and let 
xy: K* > {+1} 


be the unique non-trivial character of order 2. (Ie. y(t) = 1 if and only if tis a 
square in K*.) Extend x to K by setting (0) = 0. We wish to use x to count 
the K-rational points on the elliptic curve 


E:y? =f(x). 


Each xe K will yield 0 (respectively 1 or 2) point(s) (x, y)e E(K) if f(x) is a 
non-square (respectively zero or a non-zero square) in K. Thus in terms of 
we find (remember the point at infinity) 


#E(K)=1+ da (x)) + 1) 
=1hg + 2 uF). 
Comparing this with (1.1), we have proven 


Corollary 1.4. With notation as above, 


< 24/4. 


Notice that the sum consists of qg terms, each +1. Thus (1.4) says that as x 
runs through K, the values of a cubic polynomial f(x) tend to be equally 
distributed between squares and non-squares. 


& xf) 
xeK 


§2. The Weil Conjectures 


In 1949, André Weil made a series of very general conjectures concerning the 
number of points on varieties defined over finite fields. In this section we will 
state Weil’s conjectures and prove them for elliptic curves. 

Let K be a field with q elements; and for each integer n > 1, let K,, be the 
extension of K of degree n, so #K,, = q". Let V/K be a projective variety, so 
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V is the set of zeros 


fi (Xo, tee Xy) = *fin(Xos sees Xn) =0 
of a collection of homogeneous polynomials with coefficients in K. Then 
V(K,,) is the set of points of V with coordinates in K,. We code the number of 
such points into a generating function. 
Definition. The zeta function of V/K is the power series 

foo} Te 
Z(V/K; T) = exp( Y (4 ViKy)—). 
n=1 

(Here if F(T)e Q(T] is a power series with no constant term, then exp(F(T)) 


is the power series £2, F(T)'/i!.) As usual, if we know Z(V/K; T), then we 
can recover the aber #V(K,,) by the formula 


#V(K,) = 


ibn Z(V/K; T) 


(n — 1)!dT" 


The reason for defining Z(V/K; T) in this way, rather than using the more 
natural series L(# V(K,))T”, will become apparent below. 


T=0 


Example 2.1. Let V = P’. Then a point of V(K,) is given by homogeneous 
coordinates [xg, ...,Xy] with x,¢K,, not all zero. Two sets of coordinates 
give the same point if they differ by multiplication by an element of K*. 
Hence 


n(N+1) __ 1 N 
#V(K,) =" =3a" 
so 
N T 
log Z(V/K; T) = 2 ( e)e 
n= &! n 
N 
= ¥ — log(t — 4'7). 
Thus 


1 
G7) 0—at) = gt) 


Notice that in this case the zeta function is actually in Q(T). In general, if 
there are numbers a,, ..., %,€C such that 


#V(K,) =apt-- ta; for alln = 1,2, ..., 


Z(P%/K; T) = 


then Z(V/K; T) will be a rational function. 


Theorem 2.2 (Weil Conjectures). Let K be a field with q elements and V/K a 
smooth projective variety of dimension n. 
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(a) Rationality 
Z(V/K; T)€ Q(T). 


(b) Functional Equation 
There is an integer ¢ (the Euler characteristic of V) so that 


Z(V/K; 1/q"T) = +q™? T° Z(V/K; T). 
(c) Riemann Hypothesis 
There is a factorization 
P,(T) os P,,-1(T) 
Po(T)P2(T) +++ Pox(T) 
with each P(T)€Z[T]. Further P)(T) = 1-— T, P,(T)=1-—q"T, and for 
each 1 <i < 2n — 1, P,(T) factors (over C) as 
P(T)=[](Q@—4«,;T) with |a,| = qi”. 


j 


Z(V/K; T) = 


This conjecture was proposed by Weil [We 3] in 1949, and proven by him 
for curves and abelian varieties. The rationality of the zeta function in general 
was established by Dwork [Dw] in 1960 using techniques of p-adic func- 
tional analysis. Soon thereafter the 7-adic cohomology theory developed by 
M. Artin, Grothendieck, and others gave another proof of the rationality and 
the functional equation. Then in 1973 Deligne ([Del]) proved the Riemann 
hypothesis. For a nice overview of Deligne’s proof, see [Ka]. 

We now prove the Weil conjectures for elliptic curves. Let 7 be a prime 
different from char(K). Recall that we have a representation (III §7) 


End(E) > End(T,(E)) 
Vr. 


If we choose a Z,-basis for T,(E), then we can write w, as a 2 x 2 matrix, and 
in particular can compute 


det(y,), tr(W,)eZy. 
Of course, the determinant and trace do not depend on the choice of basis. 


Proposition 2.3. Let wy ¢ End(E). Then 


det(y) = deg(w) and tr(w,) = 1 + deg(p) — deg(1 — y). 
In particular, det(w,) and tr(y,) are in Z and are independent of ¢. 


Proor. Let v,, v, be a Z,-basis for T(E), and write the matrix of w, for this 


basis as 
a b 
We = ( Cc ‘) : 
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Recall there is a non-degenerate, bilinear, alternating pairing (III.8.3) 
e: T(E) x T(E) > T;(w). 
We compute 
e(v,, v2)" = e([deg w]v,, v2) 
=e(bb,v,,0>) (111.6. 1a) 
= e(Wv,, W0;) (11.8.3 and II1.6.2f) 
= e(av, + cv, bv, + dv.) 
= e(v,, 0.) 
= e(v,, 0,)°*™, 


Since e is non-degenerate, we conclude that deg w = det w,. Finally, for any 
2 x 2 matrix A, a trivial calculation yields 


tr(A) = 1 + det A — det(1 — A). | 
Now let 
@: EE 
be the q'"-power Frobenius endomorphism, so as we saw in section 1, 


#E(K) =deg(1—) — (III.5.5 and III.4.10c). 


Similarly, for each integer n > 1, ¢" is the (q")""-power Frobenius endomor- 
phism, so 


#E(K,) = deg(1 — ¢"). 


From (2.3), the characteristic polynomial of ¢, has coefficients in Z, so we 
can factor it over C as (say) 


det(T — ¢,) = T? — tr(g,)T + det(¢,) = (T — a) (T — B). 
Further, since for every rational number m/ne Q, 
det((m/n) — ¢,) = det(m — n¢,)/n? = deg(m — ng)/n? > 0, 


it follows that the quadratic polynomial det(T — ¢,) has complex conjugate 
roots. Thus |«| = |f|, so from 


af = det o, = deg = q, 
we conclude that 


|a| = |B| = /@. 


Finally we note that the characteristic polynomial of #7 is given by 
det(T — $7) = (T — a") (T — B”). 
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(To compute this, we may put ¢, in Jordan normal form, so it is upper 
triangular with « and 8 on the diagonal.) In particular, 


#E(K,) = deg(1 — ¢”) 
= det(1 — ¢/) from (2.3) 
=1-—a"— p"+q", 


where «, BEC are complex conjugates of absolute value Re From this 
expression it is easy to verify the Weil conjectures for elliptic curves as 
follows. 


Theorem 2.4. Let K be a field with q elements and E/K an elliptic curve. Then 
there is an aeéZ so that 


1—aT+ qT? 


ANS GT a= a) 


Further 
Z(E/K; 1/qT) = Z(E/K; T), and 
1—aT + qT? =(1—aT)(1—BT) with |o| =|B| =./¢. 
Proor. We compute 


log Z(E/K; T) = y (#E(K,))T"/n definition 
n=1 


y (1 —a" — B+ q")T"/n from above 
n=1 


—log(1 — T) + log(1 — aT) + log(1 — BT) — log(1 — qT). 

Hence 

(1 — «T) (1 — BT) 

Z(E/K; T) = ——.—_, 
ee = mya al) 

which has the desired form, since from above « and f are complex conjugates 

of absolute value ./q, and 


a=a+B=tr(¢,) =1+q —deg(l — d)eZ. 


The functional equation is immediate (with ¢ = 0). oO 


Remark 2.5. To see why (2.2c) is called the Riemann hypothesis, we make a 
change of variable and let T = q~*. Thus for an elliptic curve we have 


ra aq™s + qe 


_ 1 
Ceyx(s) = Z(E/K; q*) = @—q)0d—qr9" 
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Now the functional equation reads 


Cex(l —s)= Ceyx(s), 
which certainly looks familiar. Further, the Riemann hypothesis for 
Z(E/K; T) proved above says that if ¢¢/x(s) = 0, then |q*| = J4 so Re(s) = 4. 


§3. The Endomorphism Ring 


Let K be a field of characteristic p, and let E/K be an elliptic curve. We have 
seen (III.6.4) that there are two possibilities for the group of p-torsion points 
E[p], namely 0 and Z/pZ. Similarly, there are several possibilities for the 
endomorphism ring End(E) (III §9). The next result shows that the seemingly 
unrelated values of E[p] and End(E) are in fact far from independent. 


Theorem 3.1 ({[De 1]). Let K be a (perfect) field of characteristic p and E/K an 
elliptic curve. For each integer r > 1, let 


¢,: E+E) and $,:E°) +E 


be the p"-power Frobenius map and its dual. 
(a) The following are equivalent. 


(i) E[p"] = 0 for one (all) r > 1. 
(ii) ¢, is (purely) inseparable for one (all) r > 1. 
(iii) The map [p]: E > E is purely inseparable and j(E)eé F ,2. 
(iv) End(E) is an order in a quaternion algebra. (Note End(E) means End(E).) 
(v) The formal group E/K associated to E has height 2. (cf. IV, §7.) 


(b) If the equivalent conditions in (a) do not hold, then 
E[p'])=Z/p'Z _ forallr > 1, 


and the formal group E/K has height 1. Further, if i(EeF,, then End(E) is an 
order in a quadratic imaginary field. (For j(E) transcendental over F ,, see exer. 
5.8.) 


Definition. If E has the properties given by (3.1a), then we say that E is 
supersingular, or that E has Hasse invariant 0. Otherwise we say that E is 
ordinary, or that E has Hasse invariant 1. 


Remark 3.2.1. There are yet further characterizations of supersingular elliptic 
curves which are quite important in various applications. See [Har IV §4] for 
a description in terms of sheaf cohomology, and [La 3, app. 2 §5] for one 
involving residues of differentials. 


Remark 3.2.2. Do not confuse the notions of singularity and supersingularity. 


138 V. Elliptic Curves over Finite Fields 


By definition a supersingular elliptic curve is an elliptic curve, so in particular 
it is a non-singular (i.e. smooth) curve. 


ProorF oF (3.1). For notational convenience, we let ¢ = ¢. 
(a) Since the Frobenius map is purely inseparable (II.2.11b), we have 


deg,(¢,) = deg,[p"] = (deg,[p])’ = (deg, )’. 
Combining this with (IIT.4.10a) yields 
#E[p"] = deg,(¢,) = deg, (GY, 


from which the equivalence of (i) and (ii) follows immediately. 
Next, from (IV.7.4) and the fact that ¢ is purely inseparable, we have 


deg, = (deg,[p])/p = p*®™. 


Since ¢ has degree p, this shows that (ii) and (v) are equivalent. 

We now prove (ii) = (iii) = (iv) = (ii). 
(ii) => (iii). From (ii), it is immediate that [p] = ¢0¢ is purely inseparable, so 
we must show that j(E)€ F,2. We apply (II.2.12) to the map $:E® > E. Since 
¢ is purely inseparable by assumption, it follows from (II.2.12) and compari- 
son of degrees that ¢ factors as 


¢ 


E®) ak ee E 


fh 


E&?) 


where ¢’ is the p'*-power Frobenius map on E®) and w has degree 1. But then 
w is an isomorphism (II.2.4.1), so 


j(E) = j(E®) = (BE) (cf. T.4.6). 


Hence j(E)e€F,2. 
(iii) => (iv). Suppose End(E£) is not an order in a quaternion algebra. We 
proceed to derive a contradiction. From (III.9.4) we see that 


H = End(E)@Q 


is a number field (either Q or quadratic imaginary over Q). 

Let E’ be any elliptic curve isogenous to E, say y: E> E’. Since wo[p] 
= [p]ow and [p] is purely inseparable on E, comparing inseparability de- 
grees shows [p] is also purely inseparable on E’. Hence 


# E'[p] = deg,[p] = 1, 


so from (i) => (iii) above, j(E’)EF,2. This gives the crucial fact that up to 
isomorphism, there are only finitely many elliptic curves isogenous to E. 
Now choose a prime eZ, ¢ ¥ p, so that ¢ remains prime in the rings 
End(E’) for every E’ isogenous to E. (Since there are only finitely many 
possible End(E’)’s, and each is a subring of %, it is easy to find such an 7. See 
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exer. 5.5.) From (III.6.4b), 
E[¢'] = Z/'Z x Z/¢'Z, 
so we can find a sequence of subgroups 
®,c@,c-.cE with 0,~Z//'Z. 


Let E; = E/®, be the quotient of E by ©, (II1.4.12), so there is an isogeny 
E > E, with kernel ®;. From above, there are only finitely many distinct E,’s, 
so we can choose integers m, n > 0 such that E,,,,, and E,, are isomorphic. 
Composing this isomorphism with the natural projection from E,, to Emin. 
we produce an endomorphism of E,,, 
1: Em——> Emin % Eyy: 

Note that the kernel of A is cyclic of order 2”. (Le. ker(A) = ®,,4,/Dn-) But 2 
is prime in the ring End(E,,), so just by comparing degrees we must have 
A =uo[?"?] for some ue Aut(E,,). (Also n must be even.) But the kernel of 
[¢"] is not cyclic for any n > 0. This contradiction proves the desired result. 
(iv) > (ii). Suppose that (ii) is false, so ¢, is separable for all r > 1. We proceed 
to prove that End(E) is commutative, which will contradict (iv) and so give 
the desired result. 

First we show that the natural map 


End(E) > End(T,(E)) 


is injective. Suppose that ye End(E) goes to 0. Then from the definition of 
T,(E) we have w(E[p’]) = 0 for all r > 1. Since [p"] = ¢,04,, it follows that 


ker g, c ker y. 
Now the assumption that ¢, is separable implies that w factors through ¢, 
(III.4.11), so for every r there is a commutative diagram 
E Bet hy E®) 
SE 
Hence 
deg J, = deg w/deg g, = p™ deg y. 


Since this holds for every r, and deg /, is an integer, we see that eventually 
A, = 0. Therefore w = 0. 

Next, from (III.7.1b), we know that T,(E) is either 0 or Z,. But 
T,(E)/pT,(E) = E[{p], and by assumption E[p] #0, so T,(E) = Z,. Now 
combining this fact with the injection proven above, we have 


End(E) c, End(T,(E)) ¥ End(Z,) = Z,. 


Therefore End(E) is commutative. 
(b) From (III.6.4c), E[p"] is 0 or Z/p’Z for every r > 1. Hence if condition (i) 
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of (a) is false, then we must have 
E[p"] = Z/p’Z for all r > 1. 


Further, since (v) is assumed not to hold, (IV.7.5) implies that £/K has height 
1. 

Suppose now that j(E)e F, and E does not satisfy the conditions in (a). We 
can find an elliptic curve E’, defined over a finite field K, which is isomorphic 
to E (III.1.4b). Let # K = p’, so ¢, is an endomorphism of E’. Suppose that 


¢,EZ < End(E’. 
Then comparing degrees, it would follow that 
¢ =[+p"7] 
(and necessarily r is even.) But then by (4.10) and (II.2.11b), 
#E[p'”] = deg, ¢, = 1, 


contradicting the assumption that (i) does not hold. Therefore ¢,¢Z, so 
End(E’) is strictly larger than Z. By assumption, it is not an order in a 
quaternion algebra, so from (III.9.4) the only remaining possibility is an 
order in a quadratic imaginary field. Since End(E’) = End(£), this completes 
the proof. oO 


§4. Calculating the Hasse Invariant 


From (3.1a) we see that up to isomorphism, there are only finitely many 
elliptic curves with Hasse invariant 0, since each has j-invariant in F,2. For 
p = 2, one can easily check (exer. 5.7) that the only supersingular elliptic 
curve is 

E:y?>+y=x?. 


For p > 2, the following theorem gives a simple criterion for determining 
whether an elliptic curve is supersingular. 


Theorem 4.1. Let K be finite field of characteristic p > 2. 
(a) Let E/K be an elliptic curve with Weierstrass equation 
E:y’ =f(x), 


where f(x)€K[x] is a cubic polynomial with distinct roots (in K). Then E is 
supersingular if and only if the coefficient of x?~! in f(x)®~'” is zero. 
(b) Let m = (p — 1)/2, and define a polynomial 


m 2 
H,(t) = >| (") it 
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Let 46K, 4 #0, 1. Then the elliptic curve 
E: y? = x(x — 1)(x — A) 


is supersingular if and only if H,(A) = 0. 7 
(c) The polynomial H,(t) has distinct roots in K. Up to isomorphism, there are 
exactly 


[p/12] + €, 
supersingular elliptic curves in characteristic p, where 6, = 1, and for p > 5, 
é,=0,1,1,2 if p=1,5,7, 11 (mod 12). 
Remark 4.1.1. The results of this theorem (and more) are mostly in [De 1]. 
Our proof of (a) follows [Man 1], and (c) is from [Ig]. For a beautiful 
generalization to curves of higher genus, see [Man 1]. 
Proor. (a) Let g = #K, let 
fo Rota 


be the unique non-trivial character of order 2, and extend y to K be setting 
x(0) = 0. As we have seen (1.3), y can be used to count the number of points of 
E, 


#E(K)=1+q+ 2, u(F09). 


Since K* is cyclic of order gq — 1, for any ze K we have 
y(z)= 24°)? in K. 
Hence 
#E(K)=1+ DICE in K. 


But again from the cyclic nature of K*, we have the easy result 
; —1 ifq —1ji 
ye] 0 ifq—Tfi 


Since f(x) has degree 3, if we multiply out f(x)?” and sum over xe K, the 
only non-zero term comes from x?~?. Hence if we let 


A, = coefficient of x47! in f(x)”, 
then 
#E(K)=14+ A,. 


(Note this equality is taking place in K, so it is actually only a formula for 
# E(K) modulo p.) 
On the other hand, letting ¢ : E > E be the g'*-power Frobenius endomor- 
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phism, we have (cf. §2) 
# E(K) = deg(1 — ) 
=l-—a+4q, 
where 
a= 1-—deg(1 — ¢) + deg ¢. 
(Le. [a] = ¢ + ¢.) Comparing these two expressions for # E(K), we see that 
—a=A, (as an element of K). 
Since a is an integer, this shows that 
A, = 0<a=0(mod p). 
But ¢ = [a] — ¢, so 
a = 0 (mod pod is inseparable (II1.5.5) 
<> E is supersingular (3.1a(ii)). 
This proves that 
A, = 0+ E is supersingular. 
It remains to show that A, = 0 if and only if A, = 0. Writing 
fe -vP = S (xP YP ( f(xjeP\r" 
and equating coefficients (remember /f is a cubic) yields 
Apps = Apr AP. 


This easily gives the desired result by induction on r. 
(b) This is a special case of (a). We need the coefficient of x?~! in 
[x(x — 1)(x —A4)]", so the coefficient of x” in (x —1)(x—A)". That 


coefficient is 
— (mM if ™ mat 
£(") (ear 


which differs from H,(A) by a factor of (— 1)”. 
(c) Let be the differential operator 


d? d 
9 = Ml — y+ 4 — 2) — 1. 


Then by direct calculation and rearranging terms, one finds (remember 
m = (p — 1)/2) 


m m\; , 
94140) = oS (p -2-29("") ti. 


In particular, since char(K) = p, 
9H,(t)=0 in K[t]. 


§4. Calculating the Hasse Invariant 143 


Hence the only possible multiple roots of H,(t) in K are t = 0 and t = 1. But 
-—1 
H,(0)=1 and H,(1) = (’ 7 )= (—1)" (mod p), 


so the roots of H,(t) are indeed distinct; and each root 4 gives an elliptic curve 
E,: y* = x(x — 1)(x — 4). 


Now for p = 3, H,(t) = 1 + t, so there is exactly one supersingular elliptic 
curve. It has j-invariant j(— 1) = 1728 = 0. We assume now that p > 5. Recall 
that the association 4 > j(A) = j(E,) is exactly six-to-one except for j = 0 and 
1728, where it is two-to-one and three-to-one respectively (III.1.7). Further, if 
H,(A) = 0, then for every 2’ satisfying j(1’) = j(A) we must have H,(1’) = 0; 
since E,, = E,, and the roots of H,(t) give every 4 for which E, is super- 
singular. Let ¢,(j) = 1 if the elliptic curve with j-invariant j is supersingular 
over F,, and ¢,(j) = 0 if it is ordinary. Then using the fact that H,(¢) has 
distinct roots, the above considerations imply that the number of super- 
singular elliptic curves in characteristic p > 5 is 


ts = 2.0) = 3(1728) + 6,(0) + €,(1728) 


Pek 2 1 
= + 5#0(0) + 569(1728) 


As we will compute directly below (4.4, 4.5), ¢,(0) is 0 or 1 according as p = 1 
or 2 (mod 3), and ¢,(1728) is 0 or 1 according as p = 1 or 3 (mod 4). Taking 
the four possibilities for p (mod 12) gives the desired result. oO 


Remark 4.2. The differential operator which we used to prove (4.1c) prob- 
ably seems rather mysterious. This operator is called the Picard—Fuchs 
differential operator for the Legendre equation 


y? = x(x — 1) (x — 0). 

It arises quite naturally when one looks at the Legendre equation as defining 
a family of elliptic curves parametrized by a complex variable t (ie. an 
elliptic surface over P'). For a nice informal discussion of this connection, see 
[Cle, §2.10]. 

Example 4.3. For p = 11, 

H,(t) = 08 + 34+ 0407+ 3t+1 
= (t? —t + 1)(t + 1) (t — 2) (t + 5) (mod 11). 


The supersingular j-invariants in characteristic 11 are j = O andj = 1 = 1728. 


Example 4.4. For which primes p > 5 is the elliptic curve 


E:y=x>+1 


144 V. Elliptic Curves over Finite Fields 


supersingular? Notice this curve has j(E) = 0. From the criterion of (4.1a), we 
must compute the coefficient of x?! in (x? + 1)-?”. If p = 2(3), then there 
is no x?! term, so E is supersingular; while if p = 1(3), then the coefficient is 
(2-133), which is non-zero modulo p, so in this case E is ordinary. 


Example 4.5. Similarly we compute for which primes p > 3 the j = 1728 
elliptic curve 


Eiyt sx? 4% 


is supersingular. This is determined by the coefficient of x?-¥? in 
(x? + 1)®-)?, which equals 0 if p = 3(4) and ((2-1)/4) if p = 1(4). Hence E is 
supersingular if p = 3(4) and ordinary if p = 1(4). 

The above examples might suggest that for a given Weierstrass equation 
with coefficients in Z, the resulting elliptic curve is supersingular in character- 
istic p for half of the primes. This is in fact true provided the elliptic curve has 
complex multiplication over Q, as the j = 0 and j = 1728 curves do. We will 
discuss a more precise result, due to Deuring, in appendix C §11. The next 
example shows that for elliptic curves without complex multiplication, such 
supersingular primes seem to be quite rare. 


Example 4.6. Let E be given by the equation 
E:y?+y=x? —x? — 10x — 20, 


so j(E) = —21? 313/11°. Then either by using the criterion of (4.1a) directly, 
or else using (exer. 5.10) and [B—K, table 3], one finds that the only primes p 
< 100 for which E is supersingular in characteristic p are p = 19 and p = 29. 
(D. H. Lehmer has calculated that there are exactly 27 primes p < 31500 for 
which this E is supersingular.) 

It is always true that there are infinitely many primes for which E is 
ordinary (exer. 5.11); and if E does not have complex multiplication, then 
Serre has shown that the set of supersingular primes for E has density 0 
([Se 3]). There is a more precise conjecture, due to Lang and Trotter [L-T], 
which says that for such E, 


#{p <x: E/F, is supersingular} ~ c,/x/log x 


as x — 00, where c > 0 is a constant depending on E. However, at present the 
set in question is not known to be infinite for any elliptic curve not having 
complex multiplication. 


EXERCISES 
5.1. Verify the Weil conjectures for V = P¥. 


5.2. Let K bea finite field, V/K a smooth projective variety of dimension n, and ¢ the 
Euler characteristic of V (cf. 2.2b). Show that up to +1, the function 


q *?Z(V/K; q~°) 


is invariant under the substitution s > n — s. 
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5.3. 


5.4. 


5.5. 


5.6. 


5.7. 


5.8. 


5.9. 


5.10. 


5.11. 


5.12. 


Show that for any square matrix A, 
exp( ¥" (trace A") r"in) = 1/det(1 — AT). 
n=1 


Let K be a finite field and E, E’/K elliptic curves. 
(a) If E and E’ are isogenous, show that 
#E(K) = #E’(K). 
(b) Prove the converse. [ Hint: Use (III.7.7a).] 
Let %,...,%,/Q be quadratic fields and let #,,...,2%, be orders in 


H,, ..., H,. Show that there is a prime / € Z so that 7; is a prime ideal of &; for 
each i = 1,2, ...,n. 


Let E, E'/F, be elliptic curves with Hasse invariant 1. 
(a) Show that the natural map 


Hom(E, E’) ® Z, > Hom(T,(E), T,(E’)) 
is injective. [Hint: Mimic the proof of III.7.4.] 
(b) If End(E) is an order in Q(,/—D), then \/-—DeQ,. 


Show that the only supersingular elliptic curve in characteristic 2 is the curve 
with j-invariant 0. 


If char K = p and E/K is an elliptic curve with j(E)¢ F ps show that End(E) = Z. 
(Hints: From (III.9.4) it suffices to show that End(£) is not an order in a 
quadratic imaginary field. Now mimic the proof of (3.1a, (iii) = (iv)).] 


Prove the following “mass formula” of Eichler and Deuring: 


pa 


E/Fp 
supersingular 


Let E/F, be an elliptic curve, and ¢: E— E the q"-power Frobenius endo- 
morphism. 
(a) Prove that E is supersingular if and only if 


tr(¢) = 0 (mod p). 


t p-t 


|Aut E] 24 - 


(Here the trace of ¢ is computed in End(T;(E)) for any prime ¢ # p.) 
(b) Suppose now that q = p. Prove that E is supersingular if and only if 


#E(F,) =p +1. 


Let E be an elliptic curve defined over Q, and fix a Weierstrass equation for E 
with coefficients in Z. Show that there are infinitely many primes pe Z so that 
the reduced curve E/F, has Hasse invariant 1. [Hint: Fix a prime /, look at those 
primes p which split completely in the field Q(E[¢]) obtained by adjoining the 
coordinates of all /-torsion points of E to Q, and use exer. 5.10.] 


Prove that for every prime p > 3, the elliptic curve 


E:y>=x3+x 
satisfies 
# E(F,) = 0 (mod 4). 


CHAPTER VI 


Elliptic Curves over C 


Evaluation of the integral giving arc-length on a circle, namely {1/,/1 — x? dx, 
leads to an (inverse) trigonometric function. The analogous problem for the 
arc-length of an ellipse yields an integral which is not computable in terms of 
so-called “elementary” functions. Due to the indeterminacy in the sign of the 
square root, the study of such integrals over C leads one to look at the 
Riemann surface on which they are most naturally defined. For the ellipse, 
this Riemann surface turns out to be the set of complex points on an elliptic 
curve E. We thus begin our study of elliptic curves over C by studying certain 
elliptic integrals, which are line integrals on E(C). (In fact, the reason that 
elliptic curves are so named is because they are the Riemann surfaces as- 
sociated to the integrals for the arc-length of ellipses. In terms of their geome- 
try, ellipses and elliptic curves actually have little in common, the former 
having genus 0 and the latter genus 1.) 

This study of elliptic integrals leads to questions which are fairly difficult to 
answer if one restricts attention to integrals. But, as with the more familiar 
circular functions, it is much easier to develop a theory of the corresponding 
inverse functions. (Thus trigonometry is not generally built up around the 


function fi /,/1 — x? dx, but rather its inverse sin(x).) In sections 2 and 3 we 
give the rudiments of this theory of elliptic functions, which are those mero- 
morphic functions having two R-linearly independent periods. We then 
relate this theory back to our original study of elliptic integrals, and use the 
relationship to make various deductions about elliptic curves over C. In the 
final section we amplify on the remark that the study of elliptic curves over C 
essentially encompasses the theory of elliptic curves over arbitrary algebra- 
ically closed fields of characteristic 0. 

The analytic theory of elliptic functions and integrals is a beautiful, but 
vast, body of knowledge. The contents of this chapter represent a very mod- 
est beginning in the study of that theory. Further, we have restricted our- 
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selves to the function theory of a single elliptic curve. There is another sort of 
function theory which is quite important, namely the theory of modular func- 
tions, in which one studies functions whose domain is the set of all elliptic 
curves over C. (See C §12 for a brief discussion and a list of references.) We 
do not touch on the subject of modular functions in this chapter. 


§1. Elliptic Integrals 
Let E be an elliptic curve defined over C. Since char(C) = 0 and C is algebra- 
ically closed, there is a Weierstrass equation for E in Legendre form (III.1.7), 
E:y? = x(x — 1)(x — 4). 
Then the natural map 
E(C) > P! 
(x, y) > x 
is a double cover ramified over precisely the four points 0, 1, 4, coo € P'(C). 
Recall (III.1.5) that @ = dx/y is a holomorphic differential form on E. 
Suppose that we try to define a map 
E(C)3C 
P+ (Go, 
where the integral is along some path connecting O to P. Of course, this map 
may not be well-defined. To see why, let P = (x, y), and look at what is 
happening in P!. — 
We are attempting to compute the complex line integral 


dt 
ie H(t — a) 


The problem is that this integral is not path-independent, because the square- 


Figure 6.1 
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Branch Cuts 


Figure 6.2 


root is not single valued. Thus in Figure 6.1, the integrals J, w, [,, J,@ are 
not equal. 

In order to make the integral well-defined, it is necessary to make branch 
cuts. For example, the integral will be path-independent on the complement 
of the branch cuts illustrated in Figure 6.2, because in this region it is possible 
to define a single-valued branch of ./t(t — 1)(t — 4). More generally, since 
the square-root is double-valued, we should take two copies of P1(C), make 
the indicated branch cuts (Figure 6.3), and glue them together along the 
branch cuts to form a Riemann surface (Figure 6.4). (Note that P*(C) 
= Cu {oo} is topologically nothing more than a 2-sphere.) As is readily seen, 
the resulting Riemann surface is a torus. It is on this surface that one should 


really study the integral { dt/,/t(t — 1)(t — 4); and in fact, elliptic curves first 
arose when people began to study such integrals. (The very reason that they 


G G 
Figure 6.3 


ps 
Figure 6.4 
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Paths in P'(C) Paths on Torus 


Figure 6.5 


are called elliptic curves is because such “elliptic integrals” arise when one 
attempts to calculate the arc-length of an ellipse (exer. 6.13a).) 
Returning now to our hypothetical map 


E(C)3C 
P>{$o, 
it is seen that the indeterminacy comes from integrating across branch cuts in 
P! (or around non-contractable loops on the torus). Figure 6.5 illustrates two 


closed paths « and f for which the integrals {,@ and |, may be non-zero. 
We thus obtain two complex numbers, which are called periods of E, 


o=[o and a= | 0. 
a B 


Notice that the paths « and # generate the first homology of the torus. Thus 
any two paths from O to P differ by something homologous to n,« + n28 for 
some n,, n € Z, so the integral {5 w is well-defined up to addition of a number 
of the form n,@, + n,@,. Let 


A = {n,@, + 1,@):n,,n, EZ}. 
We have thus shown that there is a well-defined map 
F:E(C)>C/A 
P > {6 (mod A). 


Further, using the translation invariance of o (III.5.1), we can easily verify 
that F is a homomorphism. (The group law on C/A being induced by ad- 
dition on C.) Thus 


P+Q P P+Q P Q P Q 
| vs |o+| oa {o+[ tos | o+[ w (mod A). 
Oo (6) P oO oO (0) oO 


Now the quotient space C/A will be a Riemann surface (ie. a one- 
dimensional complex manifold) if and only if A is a lattice; that is, if and only 
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if the periods w, and w, which generate A are linearly independent over R. 
This turns out to be the case; and further, F gives a complex analytic isomor- 
phism from E(C) to C/A. However, rather than proving these facts here, we 
will instead turn to the study of the space C/A for a given lattice A. In section 
3 we will construct the inverse to the mapping F, and show that C/A is 
analytically isomorphic to E,(C) for a certain elliptic curve E,/C. The unifor- 
mization theorem (5.1) then says that every elliptic curve E/C is isomorphic 
to some E,, from which we will be able to deduce (5.2) that the periods of E/C 
are R-linearly independent and that F is a complex analytic isomorphism. 
(For a direct proof of the independence, which uses only Stokes’ theorem in 
R?, see [Cle, §2.9].) 


§2. Elliptic Functions 


Let Ac C be a lattice; that is, A is a discrete subgroup of C which contains 
an R-basis for C. In this section we will study meromorphic functions on the 
quotient space C/A; or equivalently, meromorphic functions on C which are 
periodic with respect to the lattice A. 


Definition. An elliptic function (relative to the lattice A) is a meromorphic 
function f(z) on C which satisfies 

f(z + w) = f(z) for all we A, zEC. 
The set of all such functions is denoted C(A). C(A) is clearly a field. 


Definition. A fundamental parallelogram for A is a set of the form 
D = {a + t,@, + t,@,:0 < ty, t, < Ly 


where aeC and @,, @, are a basis for A. Thus the map of sets D > C/A is 
bijective. We denote the closure of D in C by D. (A lattice and three different 
fundamental parallelograms are illustrated in Figure 6.6.) 


Figure 6.6 
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Proposition 2.1. An elliptic function with no poles (or no zeros) is constant. 


Proor. Suppose that f(z)eC(A) is holomorphic. Let D be a fundamental 
parallelogram for A. Then the periodicity of f implies that 

sup | f(z)| = sup |f(2)|. 

zeC zeD 
But f is continuous and D is compact, so | f(z)| is bounded on D, hence it is 
bounded on all of C. Therefore, by Liouville’s theorem ([Ahl, ch. 4, §2.3]), f is 
constant. Finally, if f has no zeros, look at 1/f. | 


Let f be an elliptic function, and let we C. Then, as for any meromorphic 
function, we can define 
ord,,({) = order of vanishing of f at w, and 
res,,(f) = residue of f at w 


(cf. [Ahl, ch. 4, §3.2, §5.1]). However, since f is elliptic, we see that the order 
and residue of f remain the same if w is replaced by w + @ for any we A. This 
prompts the following convention. 


Notation. By 2,,.c;, Wwe mean a sum over we D, where D is a fundamental 
parallelogram for A. (By implication, the resulting sum is independent of the 
choice of D.) 


Notice that (2.1) is the complex analogue of (II.1.2), which says that an 
algebraic function without poles is constant. The next theorem and corollary 
continue this theme by proving for C/A results analogous to parts of (II.4.8) 
and (III.3.5). 


Theorem 2.2. Let fe C(A). 
(a) ¥& res,(f) =0. 


weC/A 

(b) ¥ ord,(f) = 0. 
weC/A 

(c) ¥ ord, (f)wed. 
weC/A 


Proor. Let D be a fundamental parallelogram for A such that f(z) has no 
poles or zeros on the boundary @D of D. All three parts of the theorem are 
simple applications of the residue theorem [Ahl, ch. 4, thm. 19] applied to 
appropriately chosen functions on D. 

(a) By the residue theorem, 


>Y resy(f) = ma |, dz. 


weC/A i 
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Now the periodicity of f implies that the integrals along the opposite sides of 
the parallelogram cancel, so the total integral around the boundary of D is 
zero. 
(b) The periodicity of f(z) implies that f’(z) is also periodic, so applying (a) to 
the elliptic function f’(z)/f(z) gives 

y ord, (f) =—— FO. =0. 


weC/A in aD f@ Oo 


(c) We apply the residue theorem to the function zf’(z)/f(z) 


Y ord,(f)w = 5 hs f'@lfedz 


weC/A 
ata, at@,;t+@ at+@2 a 
al | +f +[ + | )y "(z)/f(z)dz. 
~ Oni at+o, at+a@,t+@2 ato, 


Now in the second (respectively third) integral make the change of variable 
Z—Z— @, (respectively z — w,). Then using the periodicity of f’/f yields 


7 aa (z) ator f(z) 
¥ ord, (f)w = al fo dz + al iG) dz 


weC/A 


But for any meromorphic function aN the integral 
°g'2) 4 
sai a 
is the winding number around 0 of the path 
[0, 1] > C, t—>g((1 — tha + tb); 


and in particular, if g(a) = g(b), then the integral is an integer. Hence the 
periodicity of f’(z)/f(z) implies that X ord,,(/)w has the desired form. oO 


Definition. The order of an elliptic function is its number of poles (counted 
with multiplicity) in any fundamental parallelogram. (Note that from (2.2b), 
the order is also equal to the number of zeros.) 


Corollary 2.3. A non-constant elliptic function has order at least 2. 


ProoF. If f(z) has a single simple pole, then from (2.2a) the residue at that 
pole is 0, so f is actually holomorphic. Now apply (2.1). O 


We now define the divisor group Div(C/A) to be the group of formal linear 
combinations 2,,.¢/, Nw(w) with n,,€Z and n,, = 0 for all but finitely many w. 
Then for D = Xn,,(w) € Div(C/A), we define 


deg D = degree of D = )'n,, and Div°(C/A) = {De Div(C/A) : deg D = 0}. 
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From (2.2b), for any f¢C(A)* we can define a divisor div( f)¢ Div°(C/A) by 
divif)= > : ord,,(f)(w). 


weC/ 
Clearly the map div: C(A)* > Div°(C/A) is a homomorphism, since each 
ord,, is a valuation. Finally, we define a summation map 
sum: Div?(C/A) > C/A sum(9n,,(w)) = ¥°n,,w (mod A). 


The following exact sequence encompasses our main results on C/A, as well 
as one fact (3.4) to be proven in the next section. 
Theorem 2.4. The sequence 


13 C*# 5 C(A)* 3 Div(C/A)S C/A 3 0 
is exact. 


Proor. Exactness on the left is clear, and on the right follows from 
sum((w) — (0)) = w. Exactness at C(A)* is (2.1), and exactness at Div°(C/A) 
is (2.2c) and (3.4). Oo 


§3. Construction of Elliptic Functions 


In order to show that the results of section 2 are not vacuous, we must 
construct some non-constant elliptic functions. By (2.3), any such function 
will have order at least 2. Following Weierstrass, we look for a function with 
a pole of order 2 at z = 0. 


Definition. Let A < C bea lattice. The Weierstrass go-function (relative to A) is 
defined by the series 


1 1 1 
(2; A) => +¥ 


wern(z—@)? w" 
oF#0 


The Eisenstein series of weight 2k (for A) is the series 


(For notational convenience, we write g9(z) and G,, if the lattice A has been 
fixed.) 


Theorem 3.1. Let A < C be a lattice. 
(a) The Eisenstein series G,, for A is absolutely convergent for all k > 1. 
(b) The series defining the Weierstrass g-function converges absolutely and 
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uniformly on every compact subset of C — A. It defines a meromorphic function 
on C having a double pole with residue 0 at each lattice point and no other poles. 
(c) The Weierstrass y-function is an even elliptic function. 


Proor. (a) Since A is discrete in C, one easily checks that there is a constant 
c =c(A) so that for all N > 1, the number of lattice points in an annulus 
satisfies 


#{meEA:N <lao|<N+1}<cN. 
(See exer. 6.2.) Hence 


1 2 #{meA:N<la|<N+1} 2 Cc 

2 ye ee < 0. 
ee |@|?* & Nk Pr 7 
ol 21 


(b) If |co| > 2)z], then 


1 1 


(<—a) ow 


z(2@ — z) 
w?(z — w)? 


10|z| 


~ joe 


Hence from (a) we see that the series for g(z) is absolutely convergent for 
zeC —A, and uniformly convergent on every compact subset of C — A. 
Therefore it defines a holomorphic function on C — A; and from the series 
expansion it is clear that g(z) has a double pole with residue 0 at each point 
of A. 

(c) Clearly g(z) = g(—z). (Replace w by —q in the sum.) Since the series for 
g is uniformly convergent, we can compute its derivative g’(z) by termwise 
differentiation: 


1 
‘(z) = -—2 ) ——. 
e @) 2 (z _ )? 
From this expression it is clear that g’ is an elliptic function, so integrating 
yields 
e(z + w) = (z) + c(a) for all ze A, 


where c(w)éC is independent of z. Now let z = —w/2 and use the evenness 
of ¢a(z) to conclude that c(w) = 0. O 


Next we show that every elliptic function can be expressed in terms of the 
Weierstrass go-function and its derivative. (This is the analogue of (III.3.1.1).) 


Theorem 3.2. Let A be a lattice. Then 
C(A) = C(e(2), @’(2)). 


(I.e. Every elliptic function is a rational combination of 9 and g'.) 


ProoF. Let f(z)eC(A). Writing 
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Figure 6.7 


1 
fle) = 5L/) + f(—2)) + 5L/) — f(—2) 


we see that it suffices to prove the theorem for odd and even functions. But if 
f is odd, then g'f is even, so we are reduced to the case that f is even. 
Now if f is even, we have 


ord, f = ord_,, f 


for every we C. Further, we claim that if 2weA, then ord,, f is even. To see 
this, differentiate f(z) = f{(—z) repeatedly to obtain 


f(2) =(-YF(-2). 
Hence if 2we A, so f(w) = f(—w), then this implies that f(w) = 0 for all 
odd i, so ord,, f must be even. 


Now let D be a fundamental parallelogram for A, and let H be “half” of D, 
so that H is a fundamental domain for (C/A)/{ + 1}. (Le. 


C=(H + A)u(—H + A). 
See Figure 6.7.) The above considerations imply that the divisor of f(z) has 
the form 


y nL(w) + (—w)] 


weH 


for certain integers n,,. (Note if 2weA, we are using the fact that ord,, f is 
even.) 
Next consider the function 
g2)= [] [e@)— ew]. 
weH-O 

Since the divisor of go(z) — gw) is (w) + (—w) — 2(0), we see that f and g 
have exactly the same zeros and poles except possibly at w = 0. But then 
(2.2b) implies that they have the same order at 0, also. Therefore f(z)/g(z) is a 
holomorphic elliptic function, hence is constant (2.1). This proves that f(z) 
= cg(z)eC(e(z), 9'(z)). O 


In order to prove the converse to (2.2), it is convenient to introduce a 
“theta function” for A. 
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Definition. The Weierstrass o-function (relative to A) is the function defined by 
the product 


Z 
o(z) = o(z; A) =z | | (: — = )e7G/e)-@/o)?/2, 
oeA @ 
a0 


The following lemma gives the basic facts that we will need concerning 
o(z). For a further description, see exers. 6.3, 6.4. 


Lemma 3.3. (a) The infinite product for o(z) defines a holomorphic function on 
all of C. It has simple zeros at each ze A, and no other zeros. 

d2 

°F log o(z)= —@(z) forallzeC—A. 


(c) For any we A there are constants a, be C such that 


(b) 


o(z + @)=e"*o(z) forall zeC. 


Proor. (a) That the infinite product is absolutely and uniformly convergent 
on C follows from (3.1a) and standard facts about convergence of infinite 
products ([Ahl, ch. 5, §2.3]). The location and order of the zeros is clear by 
inspection. 

(b) From (a) we can differentiate 


Zz z 1fz\ 
log o(2)= log: + 5 fioe(1-2)-2-3(2)} 


term by term. Its second derivative is, up to sign, exactly the series defining 


§(2). 
(c) From (3.1c), g(z + w) = g(z). Now integrate twice and use (b) to obtain 


log o(z + w) = log o(z) + az +b 


for constants of integration a, be C. Oo 


Proposition 3.4. Let n,,...,n,¢Z and z,,...,2,€C satisfy 
Yin, =0 and Yinjz,eA. 
Then there exists an elliptic function f(z)¢C(A) satisfying 
div(f) = ¥\n,(z;). 
More precisely, if we normalize so that )\n,z; = 0, then 


f@) = Tol — 2)". 


Proor. Let A= Enj,z;eA. Replacing n,(z,)+-°::+7,(z,) by n,(z4)+°°° 
+n,(z,) + (0) — (A), we may assume that Xn,z; = 0. Then (3.3a) implies that 


fe) =[] ol - 2)" 
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has the correct zeros and poles; while (3.3c) allows us to compute (for any 
@meA) 


fle + a/flz) = [eer 
as elaz+b)En; 9 — akn;z; 
=1. 
Therefore f(z)eC(A). oO 


We next derive the Laurent series expansion for g(z) about z = 0, from 
which we will deduce the fundamental algebraic relation satisfied by (z) and 


(2). 
Theorem 3.5. (a) The Laurent series for go(z) about z = 0 is given by 
(z) = Zz? + >, (2k + 1G ¢¢32"". 
k=1 


(b) For all zeC with zé A, 
g'(z)? = 4¢(z)> — 606, ~(z) — 140G,. 


ProoF. (a) Provided |z| < |w|, we have 


(z-—o)*—@ ?=@ 7[(1 — 2/@)-? — 1] 
= x (n + 1)z"/w"*?. 
n=1 


Substituting this into the series for g(z) and reversing the order of summa- 
tion gives the desired result. 
(b) We write out the first few terms in various Laurent expansions: 


go'(z)? = 4z~© — 24Gyz~? — 80G, + °° 
(2)? = 27° + 9G4z~? + 15G5 + °° 
(2) =2-? + 3Gyz7 +°°. 
Comparing these, we see that the function 
f(z) = e'(2)? — 4e(z)? + 60G, @(z) + 1406, 


is holomorphic around z = 0 and vanishes at z = 0. But it is also elliptic 
relative to A, and from (3.1b) it is holomorphic away from A, hence it is a 
holomorphic elliptic function. From (2.1), we conclude that f(z) is identically 
Zero. O 


Remark 3.5.1. It is standard notation to set 


J2 = 92(A) = 60G, and g3 = g3(A) = 140G.. 
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Then the algebraic relation between g(z) and g'(z) reads 
9'(2)! = 4@(z)° — 92.@(2) — 9. 


Let E/C be an elliptic curve. Since the group law E x E- E is given by 
everywhere locally defined rational functions (III.3.6), we see in particular 
that E = E(C) is a complex Lie group. (Le. It is a complex manifold with a 
group law given locally by complex analytic functions.) Similarly, if A < C is 
a lattice, then C/A with its natural addition is a complex Lie group. The next 
proposition shows that C/A is always complex analytically isomorphic to an 
elliptic curve. 


Proposition 3.6. Let g, and g, be the quantities associated to a lattice A c C. 
(a) The polynomial 


f(x) = 4x3 — gox — 93 
has distinct roots. Its discriminant 
A(A) = 93 — 2793 


is not zero. 
(b) Let E/C be the curve 


Ezy’ =4x° — g.x — gs, 
which is an elliptic curve from (a). Then the map 
¢:C/A>Ec PC) 

z>[g(2), @'(2), 1] 


is a complex analytic isomorphism of complex Lie groups. (I.e. It is an isomor- 
phism of Riemann surfaces which is a group homomorphism.) 


Proor. (a) Let {@,, .} be a basis for A, and let w; = @, + @ 2. Then since 
g’'(z) is an odd elliptic function, we see that 


§2'(@;/2) = — 9'(—@,/2) = — 9'(@;/2), 


so ¢'(@,/2) = 0. Hence from (3.5b), f(x) vanishes at each x = ¢9(a,/2), so it 
suffices to show that these three values are distinct. 

The function g(z) — g(@,/2) is even, hence has at least a double-zero at 
z = @;/2. But since it has order 2, these are the only zeros (in an appropriate 
fundamental parallelogram). Therefore ¢9(w;/2) # 99(@,/2) for j # i. 
(b) The image of ¢ is contained in E from (3.3b). To see that ¢ is surjective, let 
(x, y)€ E. Then go(z) — x is a non-constant elliptic function, so from (2.1) it 
has a zero, say z = a. It follows that '(a)* = y?, so replacing a by —a if 
necessary, we obtain g’(a) = y. Then ¢(a) = (x, y). 

Next suppose that ¢(z,) = ¢(z). Assume first that 2z,¢A. Then the 
function g(z) — g(z,) has order 2 and zeros z,, —z,, 25. It follows that 
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Z, = +z, (mod A); and now 
@' (21) = @'(22) = @'(421) = + (21) 


implies that z, = z, (mod A). [Note g’(z,) 4 0 from the proof of (a).] Now if 
instead 2z, eA, then o(z) — go(z,) has a double zero at z,, and vanishes at z,, 
so again we conclude that z, = z, mod A. This proves that ¢ is injective. 

Next, in order to show that ¢ is an analytic isomorphism, we compute its 
effect on the cotangent space. At every point of E, dx/y is a non-vanishing 
holomorphic differential. Since 


o*(dx/y) = deo(z)/p'(z) = dz 


is similarly non-vanishing and holomorphic at every point of C/A, we see 
that ¢ is a local isomorphism. But ¢ is bijective from above, so this implies 
that it is a global isomorphism. 

Finally, to see that ¢ is a group homomorphism, let z,, z,¢C. From (3.4), 
there is a function f(z)eC(A) with divisor 


div(f) = (21 + 22) — (21) — 2) + 0). 


Using (3.2), we can write f(z) = F(g(z), 9'(z)) for some rational function 
F(X, Y)eC(X, Y); and then considering F(x, y)—C(x, y) = C(E), we have 


div(F) = ((z, + Z2)) — (G(Z1)) — (P(Z2)) + (G(0)). 
It follows from (III.3.5) that 
P(Z1 + 22) = O21) + (22). Oo 


§4. Maps—Analytic and Algebraic 


In this section we investigate complex analytic maps between complex tori. It 
turns out that they all have a particularly simply form; and, somewhat more 
surprisingly, the maps which they induce on the corresponding elliptic curves 
via (3.6b) are actually isogenies (i.e. given by rational functions). 

Thus let A, and A, be lattices in C. If «€C has the property that 
aA, < Aj, then scalar multiplication by a 


$,:C/Ay >C/A, — $,(z) = az (mod A,) 
is clearly a holomorphic homomorphism. We now show that these are essen- 
tially the only holomorphic maps. 
Theorem 4.1. (a) With notation as above, the association 
{aeC:aA, < A,} > {holomorphic maps $: C/A, + C/A, with ¢(0) = 0} 


a> Py 
is a bijection. 
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(b) Let E, and E, be the elliptic curves corresponding to the lattices A, and A, 
as in (3.6b). Then the natural inclusion 


{isogenies $ : E, + E,} > {holomorphic maps ¢: C/A, > C/A, with ¢(0) = 0} 


is a bijection. 


Proor. (a) If ¢, = ¢, then for all zeC, az = Bz (mod A,). Hence the map 
z—»(a— f)z sends C to A,; and since A, is discrete, this map must be 
constant. Therefore « = B. 

Next let 6: C/A, + C/A, be a holomorphic map with 4(0) = 0. Then, since 
C is simply connected, we can lift ¢ to a holomorphic map f:C > C with 
(0) = 0 so that the following diagram commutes: 


C3 
gal 
C/A, & C/Ag. 


Now for any weA,, f(z + @) = f(z) (mod A,) for all ze C. Again using the 
discreteness of A,, we see that f(z + w) — f(z) must be independent of z. 
Thus 


f'(z+ 0) = f'(2) for all zeC and all we Ay. 


This says that f’(z) is a holomorphic elliptic function, so from (2.1) it is 
constant. Therefore f(z) = az + y for some a, ye C. Now f(0) = 0 implies that 
y = 0, and f(A,) < A, implies «A, < A,,s0 ¢ = ¢,. 

(b) First note that since an isogeny is given locally by everywhere defined 
rational functions (i.e. it is a morphism), the map induced on the correspond- 
ing complex tori will be holomorphic. Thus our association 


Hom(E,, E,) > Holom. Map(C/A,, C/A.) 
is well-defined; and it is clearly injective. 
We now prove surjectivity. From (a), it suffices to consider a map of the 


form ¢,, where «€C* satisfies «A, < A,. The induced map on Weierstrass 
equations is given by 


E, cod E, 
[e(z, A), 9'(z, A.) 1] as [e(az, A), go'(az, A.) 1), 


so we must show that (az, A,) and g’(az, A,) can be expressed as rational 
functions of go(z, A,) and g’(z, A,). But using the fact that wA, < A, we see 
that for any we A,, 


e(a(z + @), A2) = ~laz + aw, Az) = e(az, Az); 


and similarly for (az, A). Thus go(az, A,) and g’(az, A,) are in C(A,). But 
C(A,) = C(e(z, A,), @'(z, A,)) from (3.2), which gives the desired result. 1 
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Corollary 4.1.1. Let E,/C and E,/C be elliptic curves corresponding to lattices 
A, and A, as in (3.6b). Then E, and E, are isomorphic (over C) if and only if A, 
and A, are homothetic. (I.e. A, = aA, for some ae C*.) 


ProoF. Clear from (4.1). oO 


Remark 4.2. Since the maps ¢, are clearly homomorphisms, (4.1) implies that 
every complex analytic map from E,(C) to E,(C) taking O to O is necessarily 
a homomorphism. This is the analogue of (III.4.8), which says that every 
isogeny of elliptic curves is a homomorphism. 


§5. Uniformization 


The uniformization theorem for elliptic curves says that every elliptic curve 
over C is parameterized by elliptic functions. The most natural proof of this 
fact uses the theory of modular functions; that is, functions on the set of 
lattices in C. (For example, g,(A) and g3(A) are modular functions.) The 
proof is not difficult, but would take us rather far afield, so we will be content 
to merely state the result here and use it to make various deductions. 


Theorem 5.1. Uniformization Theorem. Let A, BEC satisfy A? — 27B? #0. 
Then there exists a unique lattice A < C such that g,(A) = A and g;(A) = B. 


ProorF. See [Ap, Thm. 2.9], [Rob, 1.3.13], [Shi 1, §4.2], or [Se 7, VII Prop. 5]. 
im 


Corollary 5.1.1. Let E/C be an elliptic curve. Then there exists a lattice A < C, 
unique up to homothety, and a complex analytic isomorphism 


@:C/A>E(C) oz) = Lee, A), @’, A), 1] 


of complex Lie groups. 


Proor. The existence is immediate from (3.6b) and (5.1), and the uniqueness is 


(4.1.1). oO 
We are now in a position to prove the results left undone in section 1. 
Proposition 5.2. Let E/C be an elliptic curve with Weierstrass coordinate func- 


tions x, y. 
(a) Let « and B be paths on E(C) giving a basis for H,(E, Z). Then the periods 


O, = | dx/y and @,= | dx/y 
a B 


are R-linearly independent. 
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(b) Let Ac C be the lattice generated by w, and w,. Then the map 
P 
F:E(CQ)>C/A F(P) = | dx/y (mod A) 
0 


is a complex analytic isomorphism of Lie groups. Its inverse is the map given in 
(5.1.1). 


ProoF. (a) From (5.1.1) there exists some lattice A, such that the map 


Pi:C/A, > EC) — $4(2) = [Lolz Ay), @’, Ad), 1] 


is a complex analytic isomorphism. It follows that gj! 0a and ¢;!of area 
basis for H,(C/A,, Z). Note further that H,(C/A,, Z) is isomorphic to A, via 
the map y — |, dz; while the differential dx/y on E pulls back to 


9} (dx/y) = de(2)/'(z) = dz 
on C/A,. Therefore the periods 


o,= [ duiy=[ dz and on= | aiy=| dz 
a ¢, 100 B ¢, 10g 


are a basis for A,, so in particular they are R-linearly independent. 

(b) We have just shown above that the lattice A, corresponding to E in 
(5.1.1) is precisely the lattice A generated by the periods of E. The compo- 
sition F o ¢ thus gives an analytic map 


(9(2), 9'(2)) 
Fo¢@:C/A>C/A Fod¢(z) = | dx/y. 
o 
Since 
F*(dz) = dx/y and $*(dx/y) = dg(z)/@'(z) = dz, 
we see that 


(F 0 #)* dz = dz. 


On the other hand, (4.1a) says that any analytic map C/A > C/A has the form 
Wa(z) = az for some ae C*. Since y*(dz) = adz, we see that F 0 ¢(z) = z. (Le. 
F o¢ is the identity map.) But we already know (3.6b) that ¢ is an analytic 
isomorphism; and so F = ¢"! is, too. O 


Much of the preceding material can be summarized as an equivalence of 
certain categories. 
Theorem 5.3. The following categories are equivalent. 


(a) Objects: Elliptic curves over C. 
Maps: Isogenies. 
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(b) Objects: Elliptic curves over C. 
Maps: Complex analytic maps taking O to O. 
(c) Objects: Lattices A < C, up to homothety. 
Maps: Map (A,, A2) = {aeC: aA, < Ay}. 


Proor. The one-to-one correspondence between elliptic curves over C and 
lattices (modulo homothety) follows from (3.6b), (5.1.1), and (5.2). The match- 
up of the maps in (a), (b), (c) is precisely the content of (4.1). oO 


Remark 5.3.1. The equivalence of (a) and (b) in (5.3) is a very special case of a 
general principle (GAGA [Se 1]), which says (among other things) that any 
complex analytic map between projective varieties over C is necessarily given 
by rational functions. (For an introductory discussion, see [Har, app. B].) 


We now use the uniformization theorem (really (5.1.1)) to make some 
general deductions about elliptic curves over C. It is worth remarking that 
even without knowing (5.1.1), everything that we are about to prove would at 
least apply to those elliptic curves which occur in (3.6b). The uniformization 
theorem merely says that this class of curves includes every elliptic curve 
over C. 


Proposition 5.4, Let E/C be an elliptic curve and m > | an integer. 
(a) As abstract groups, 


E[m] = Z/mZ x Z/mZ. 
(b) The multiplication-by-m map [m]: E > E has degree m?. 


Proor. (a) From (5.1.1), E(C) is isomorphic to C/A for some lattice A < C. 
Hence 


1 
E[m] = (C/A) [m] = ils ~ (Z/mZ)’. 


(b) Since char C = 0 and [m] is unramified, the degree of [m] is just the 
number of points in E[m] = [m]* {0}. oO 


Let E/C be an elliptic curve. Notice that (4.1) allows us to identify End(E) 
with a certain subring of C. Thus if E(C) = C/A as in (5.1.1), then 


End(E) = {aeC:aA ¢ A}. 


Since A is unique up to homothety (4.1.1), this ring is independent of A. We 
now use this description of End(E) to completely characterize the possible 
endomorphism rings which can occur. We recall the following definition 
from (IIT §9). 
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Definition. Let % be a number field. An order & of # is a subring of # 
which is finitely generated as a Z-module and satisfies 2 @ Q = #. 


Theorem 5.5. Let E/C be an elliptic curve, and let w,, @, be generators for the 
lattice A associated to E by (5.1.1). Then either 


(i) End(£) = Z; or 
(ii) Q(@,/@,) is a quadratic imaginary extension of Q, and End(E) is isomor- 
phic to an order in Q(@, /@). 


Proor. Let t = w,/@,. Since A is homothetic to Z + Zt (multiply by 1/az), 
we may replace A by Z + Zz. Let 


R= {axeC:aA cA}, 


so @ = End(E) from (4.1). Then for any we &, there are integers a, b, c, d such 
that 


a=a+bt and at=c+ dt. 
Eliminating t yields 
a? —(a+ dja+be=0. 


Thus @ is an integral extension of Z. 
Now suppose that @ # Z, and choose xe & with a ¢ Z. Then with notation 
as above, b ¥ 0, so eliminating « gives a non-trivial equation 


bt? —(a—d)t+c=0. 


Therefore Q(t) is a quadratic imaginary (since t ¢ R) extension of Q. Finally, 
since # < Q(t) and Z& is integral over Z, it follows that Z is an order of Q(t). 
| 


§6. The Lefschetz Principle 


The Lefschetz principle says roughly that algebraic geometry over an arbi- 
trary algebraically closed field of characteristic 0 is “the same” as algebraic 
geometry over C. One can, of course, make this precise by formulating an 
equivalence of suitably defined categories; but we will be content here to give 
a more informal presentation. 

The first observation to make is that if the given field K can be embedded 
in C, then everything proceeds smoothly. For example, if K < C is any field 
and if E/K is an elliptic curve, then the fact that [m]: E — E is an algebraic 
map (ie. given by rational functions) implies that E[m] c E(K) ¢ E(C). 
Hence using (5.4), we obtain a proof that 


E[m] = E(K)[m] = E(C)[m] & (Z/m2)’. 
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Note that the embedding K < C need not be topological (assuming K has 
a topology in the first place.) It does not matter that we may have used the 
topology of C to reach our conclusions (such as in the analytic isomorphism 
E(C) = C/A), as long as our hypotheses and conclusions are purely algebraic. 

The second observation is that theorems in algebraic geometry generally 
deal with finite (or at worst, countable) sets. For example, any variety is 
defined by a finite set of polynomial equations (Hilbert basis theorem), and 
each equation has finitely many coefficients. Similarly, an algebraic map 
between varieties is given by a finite set of polynomials, each having a finite 
number of coefficients. Now suppose that {V,, V;,...} is a finite (or count- 
able) set of varieties defined over some field K of characteristic 0, and suppose 
that {¢,, ¢,,...} is a finite (or countable) set of rational maps (defined over 
K) between various of the V;’s. Let Kg < K be the field generated over Q by 
all of the coefficients of all of the polynomials defining all of the V,’s and all of 
the ¢;s. Then trdeg(K,/Q) clearly has cardinality at most that of the natural 
numbers, so we can embed K, < C (Zorn’s lemma). Now from the above 
discussion concerning subfields of C, we will be able to reduce most algebro- 
geometric questions concerning the V/s and ¢/s to the corresponding ques- 
tion over C, where we may be able to profitably employ techniques from 
complex analysis and differential geometry. 

To illustrate the procedure outlined above, we prove the following. 


Theorem 6.1. Let K be a field of characteristic 0 and E/K an elliptic curve. 
(a) Let m = 1 be an integer. Then 


E(m] = Z/mZ x Z/mZ. 


(b) The endomorphism ring of E is either Z or an order in a quadratic imagi- 
nary extension of Q. (Compare with (III.9.4).) 


ProoF. (a) This is immediate from (5.4) and the Lefschetz principle. 

(b) Here we can apply the Lefschetz principle to (5.5), once we note that 
End(E) is countably (in fact finitely) generated from (III.7.5). Alternatively, 
even without (III.7.5), we can argue as follows. If End(E) is neither Z nor 
quadratic imaginary, then it contains a finitely generated subring with the 
same property. Now applying the Lefschetz principle to the maps in this 
subring will contradict (5.5). O 


EXERCISES 


6.1. Let A= Za, + Za, be a lattice, and let 0(z) be an entire function (i.e. holo- 
morphic on all of C.) Suppose that there are constants a,, a,€C such that 


O(z + @,)=a,0(z) and 6O(z + w,) = a,0(z) for all zeC. 
Prove that 


O(z) = be” for some b, ceC. 
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6.2. 


6.3. 


6.4. 
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Let A c C be a lattice. 

(a) Prove that every fundamental parallelogram for A has the same area. De- 
note this area by A(A). 

(b) Prove that as R > 00, 


#{weA:|o| < R} = A(A)' xR? + O(R). 


(The big-O constant depends on A, of course.) 
(c) Prove that there is a constant c = c(A) such that for all R, 


#{wEeA:R<|o|<R+1} <cR. 


(a) Prove that for all z, aeC, 


e(z) — e(a) = _o@ + ao(z — 4) 


o(z)°o(a)? 
[Hint: Compare zeros and poles. ] 
(b) Prove that 
yy, 2(22) 
9 (z) re o(z)* 


(c) Prove that for every integer n, the function o(nz)/o(z)” is in C(A). 
(d) More precisely, prove that 


o(nz) 
o(z)" 


(— 1 {1121.2 — Da = det M(@))1 <injen-a- 


Define the Weierstrass C-function €(z) (not to be confused with the Riemann 
¢-function) by the series 


(a) Prove that 


# log ote) =tl2) and “ te) = — 9) 
Zz dz 


(b) Prove that 
o(—z) = —C(2); 
and that for all we A, 
O(z + @) = C(z) + n(o), 


where y(@) = 2¢(w/2) is independent of z. 
(c) Prove that the map 7: A > C given in (b) is linear. 
(d) Write A = Za, + Za, with Im(@,/@,) > 0. Prove the Legendre relation 
24(@,) — ©, N(@2) = 2ni. 


[Hint: Integrate ¢(z) around a fundamental parallelogram. ] 
(e) Prove that 
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6.5. 


6.6. 


6.7. 


6.8. 


o(z + @) = £eMMEtP2)G(z), 


where the sign is positive or negative according to we2A or wé2A 
respectively. 

(f) Extend 7: A > C to an R-linear map 4: C > C by identifying A @7R with 
C. Let 


G(z) = e.g (2), 
Prove that for all we A, 
|G(z + @)| = |G(z)]. 
Hence |G(z)| defines a real analytic function C/A > R. 
Verify the following indefinite integrals. 
(a) J e(2)? dz = G@'(2) + 2922 + C. 
(b) | p(2) dz = zo" (2) — Fo926(2) + Ho93z + C. 
For a lattice A < C, let g,(A) and g3(A) be as in (3.3.1), and define 
A(A) = g2(A)> — 27g3(A)?_ and j(A) = 1728g,(A)°/A(A). 
(a) Let ae C*. Prove that 
g2(aA) = a *g5(A) g3(aA) = « °gs(A); 
and so 
A(aA) =a A(A) —j(aA) = j(A). 


(b) Prove that j(A,) = j(A,) if and only if there is an a€ C* such that «A, = Ad. 
(c) Prove that 


j(Z + Zi) =1728 and j(Z + Ze”) =0. 


Elliptic curves over R. Let E/C be an elliptic curve corresponding to a lattice 

AcC. 

(a) Prove that E can be defined over R if and only if there is an «€ C* such that 
aA is mapping to itself by complex conjugation. [Hint: First show that 
H(A) = j(A).J 

(b) Suppose E is defined over R, and that we have chosen a lattice A for E which 
is invariant under complex conjugation. Prove that A(A)eéR; and that E(R) 
is connected if and only if A(A) > 0. 

(c) Let E/C have a Legendre equation 


E:y* =x(x — I(x — 4). 


Prove that A€ R if and only if E can be defined over R and E[2] < E(R). 
(d) If E is defined over R and E[2] < E(R), prove that there is a lattice for E 
which is rectangular (ic. of the form Zw, + Z@,i with w,, @, €R). 


Let #/@ be a quadratic imaginary field, Z the ring of integers of #, and hg the 
class number of &@. Prove that up to isomorphism, there are exactly hg elliptic 
curves E/C with End(E) = &. If E is such a curve, conclude that j(E) is an 
algebraic number satisfying [4 (j(E)): #] < hg. (In fact, #(j(E)) is the Hilbert 
class field of %#. See (C §11) and the references listed there.) 
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6.9. Let E,/C and E,/C be elliptic curves, and assume that E, has complex multi- 
plication. Prove that E, is isogenous to E, if and only if 


End(E,) ® @ = End(E,) @ Q. 


6.10. Let 6: E, — E, be an isogeny of elliptic curves over C, and let ae C* correspond 
to ¢ via the equivalence in (4.1). (Le. E; = C/A; and «A, < A;.) Prove that % 
corresponds to the dual isogency ¢ : E, > E,. 


Elliptic Integrals. The following exercises (6.11—6.13) develop a minute por- 
tion of the classical theory of elliptic integrals. 


6.11. Let E/C be an elliptic curve given by a Legendre equation 
E:Y? = X(X —1)(X — A). 
(a) Prove that there is a keC — {0, +1} such E has an equation of the form 
E:y? = (1 — x?)(1 — k?x?). 

(Hint: Let X = (ax + b)/(cx + d) and Y = ey/(cx + d)? for appropriate a, b, 
c, d,eeC.] 

(b) For a given value of A, find all possible values of k. Conversely, given k, find 
all values of A. 

(c) Express the j-invariant j(E) in terms of k. 


(d) Suppose Ae R. (See exer. 6.7.) Show that k may be chosen so as to satisfy 
0<k<1. 


6.12. Complete Elliptic Integrals. Let E be an elliptic curve given by an equation 
E:y? =(1 — x?)(1 — k?x?). 


To simplify matters, assume that 0 < k < 1. (See exer. 6.11d.) Define complete 
elliptic integrals of the first and second kind to the modulus k by 


ldx 1 
K(k) = | rues | {(1 — x?)(1 — k?x?)}"? dx First Kind 
0 0 


1 1 
E(k) = | ydx = | {(1 — x?)(1 — k?x?)}4? dx Second Kind. 
0 0 


(This notation is classical. Note that this is the only place in this book where 

E(k) will not mean the k-rational points on E.) 

(a) Make appropriate branch cuts, and show that the lattice for E is generated 
by the periods 


a {(1 — x?)(1 — k?x?)}""? dx and 2" (62 — 1)(1 — k2x2)}-#2 dx. 
9 1 


(b) Let k’ be the complementary modulus defined by k? +k”? =1,0<k’ <1. 
Prove that 


{" {(x? — 1)(1 — k?x?)} 1? dx = i (1 — x40 — k?X2)}-12 ie 
s 0 
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[Hint: Let x = (1 — k’?X7)"".] Conclude that the period lattice for the 
elliptic curve E/C is generated by 4K(k) and 2iK(k’. 
(c) Prove the transformation formulas 


2/k 1—k\ 1+k 
K{—— ]=(1+ k)K(k : 
(4) (1+ k)K(k) and K(- 5 —.— K(k’). 
[Hint: For the former, use the substitution x = (k + 1)X/(1 + kX?).] 


6.13. (a) Show that the complete elliptic integrals defined above may also be written 
as 


n/2 
K(k) = | (1 — k? sin? 6)" 1? da, 
0 


n/2 
E(k) = | (1 — k2 sin? 6)! d0. 
0 


(b) Prove that the arclength of the ellipse 
x?/a? + y?/b? =1 
is given by the complete elliptic integral 
4aE(./1 — (b/a)?) 
(We assume a > b > 0.) 
(c) Prove that the arclength of the lemniscate 


r? = cos 20 


is given by the complete elliptic integral 2,/2K(1/./2). Show that it also 
equals 4{§ (1 — x*)"1? dx. (Thus the arclength of the lemniscate resembles 
the arclength of the unit circle, namely 2x = 4 [§(1 — x?) dx.) 


6.14. The Arithmetic-Geometric Mean. For a, be R with a > b> 0, we define two 
sequences {a,} and {b,} by 


ay =a by =b 
Ay = 2(dq + By) Opt = s/ Andy 
(a) Prove that 
0 <4y41 — Dns < < 3(a, — by). 
Deduce that the limit 
M(a, b) = Lim a, = Lim b, 


exists. M(a, b) is called the arithmetic-geometric mean of a and b. 
(b) Prove that 


M(a, b) = M(a,, b;) = M(az, b2) =""°, 
and 


Mca, cb) = cM(a, b). 
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(c) Define the integral I(a, b) by 
n/2 
I(a, b) = | (a? cos? 6 + b? sin? 6)~? dé. 
cv) 


Show that I(a, b) is related to certain complete elliptic integrals by the 
formulas 


2./k 
I(a, b) = a 1K 2Ji and I(a,, b,) = aj! K(k). 
1+k 
Hint: Take k = “| 
a+b 
(d) Prove that 
M(a, b)I(a, b) = 1/2. 


[ Hint: Use (c) and (exer. 6.12c) to prove that I(a, b) = I(a,, b,). Then calcu- 
late Lim I(a,, b,).] Combining (c) and (d), note that complete elliptic in- 
tegrals of the first kind (for 0 < k < 1) may be computed in terms of the 
arithmetic-geometric mean. 


(e) Prove that the rate of convergence predicted by (a), namely a, —b, < 
2-"(a — b), is far slower than the reality. More precisely, use (b) to show that 
it suffices to compute M(a, b) in the case that b > 1; and under this assump- 
tion, prove that 

—b\2" 
Qn+m — Ontm <8 (“=*) for all m,n > 0. 
In particular, since eventually a, —b, <1, the sequences {a,} and {b,} 
eventually converge doubly exponentially. 
(f) Show that 


{ (1 — 244? dz = n/2M(,/2, 1), 
C0) 


and use this equality to calculate the value of the complete elliptic integral. 
(It was the observation that these two numbers, calculated independently, 
agree to eleven decimal places which led Gauss to initiate his extensive study 
of the arithmetic-geometric mean. For a fascinating account of this subject, 
see [Cox].) 


CHAPTER VII 


Elliptic Curves over Local Fields 


In this chapter we study the group of rational points on an elliptic curve 
defined over a field which is complete with respect to a discrete valuation. We 
start with some basic facts concerning Weierstrass equations and “reduction 
modulo x”. This enables us to break our problem up into several pieces; and 
then by examining each piece individually, we will be able to deduce a great 
deal about the group of rational points as a whole. Unless explicitly stated 
otherwise, we will use the following notation. 


K a local field, complete with respect to a discrete valuation v 
R the ring of integers of K = {xe K : v(x) > 03 

R* the unit group of R = {xe K: v(x) = 0} 

M the maximal ideal of R = {xe K : v(x) > 0} 

1 a uniformizer for R (i.e. .@ = mR) 

k the residue field of R = R/.%. 


We will further assume that v is normalized so that v(z) = 1. Note that by 
convention, v(0) = oo is assigned a value larger than every real number. 
Finally, in keeping with our general policy, we will assume that both K and k 
are perfect fields. 


§1. Minimal Weierstrass Equations 


Let E/K be an elliptic curve, and let 
y? + a,xy + asy = x9 + a,x? + agx + dg 


be a Weierstrass equation for E/K. Since replacing (x, y) by (u~?x, u~>y) 
causes each a; to become u'a,, if we choose u divisible by a large power of z, 
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then we can find a Weierstrass equation with all coefficients a,;¢ R. Then the 
discriminant A satisfies v(A) > 0; and since v is discrete, we can look for an 
equation with v(A) as small as possible. 


Definition. Let E/K be an elliptic curve. A Weierstrass equation as above is 
called a minimal (Weierstrass) equation for E at v if v(A) is minimized subject 
to the condition a,, a2, 43, 44, ag € R. This value of v(A) is the valuation of the 
minimal discriminant of E at v. 


Remark 1.1. How can one tell if a given Weierstrass equation is minimal? 
First, by definition, all of the a?s must be in R, so in particular the discrimi- 
nant A is in R. If the equation is not minimal, then there is a coordinate 
change giving a new equation with discriminant A’ = u'?AeR (cf. III.1.2). 
Thus v(A) can only be changed by multiples of 12, so we conclude: 


If a;éR and v(A) < 12, then the equation is minimal. 
Similarly, since c, = u*c, and c, = u°cg, we have: 
If a,;eR and v(c4) < 4 (or v(c¢) < 6), then the equation is minimal. 


If char(k) # 2, 3, then the converse holds, namely minimality implies either 

v(A) < 12 or v(c,4) < 4. (See exer. 7.1.) For arbitrary K there is an algorithm of 

Tate ([Ta 6]) which will determine if a given equation is minimal. 

Example 1.2. Let p be a prime and consider the Weierstrass equation 
E:y?+xy+ty=x3+x?4+22x-9 


over the field Q,. This equation has discriminant A = —2'°S? and c, = 
—5-+211. Hence using the above criteria (1.1), this is a minimal Weierstrass 
equation at p for every prime pe Z. 


Proposition 1.3. (a) Every elliptic curve E/K has a minimal Weierstrass 
equation. 
(b) A minimal Weierstrass equation is unique up to a change of coordinates 


x=ux’+r  y=uby’+u’sx' +t 
with ue R* andr, s, te R. 
(c) The invariant differential 
@ = dx/(2y + a,x + a3) 


associated with a minimal Weierstrass equation is unique up to multiplication by 
an element of R*. 
(d) Conversely, if one starts with any Weierstrass equation with coefficients 
a;¢€ R, then any change of coordinates 

x=u?x’+r y=uy’+u?sx' +t 


used to produce a minimal Weierstrass equation satisfies u, r, s, té R. 
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ProorF. (a) One can easily find some Weierstrass equation with all a;e R, and 
among such there is a minimal v(A) since v is discrete. 

(b) We know (III.3.1b) that any Weierstrass equation for E/K is unique up to 
the indicated change of coordinates with ue K* and r, s, te K. Now suppose 
the given equation and the new equation are both minimal. We use the 
transformation formulas (III.1.2). From the definition of minimality, we have 
v(A) = v(A’). But u!?A’ = A, so ue R*. From the transformation for bg (re- 
spectively bg) we see that 4r? (respectively 3r*) is in R, hence re R. Now the 
transformation for a, gives se R, and that for a, gives te R. 

(c) Clear from (b), since w’ = uo. 

(d) Since u!?A’ = A and v(A’) > v(A) (because the new equation is to be 
minimal), we see that v(u) > 0, so ue R. Now the proof in (b) can be repeated 
to show that r,s, te R. Oo 


§2. Reduction Modulo z 


We next look at the operation of “reduction modulo x”, which we denote by 
a tilde. Thus, for example, the natural reduction map R > k = R/nR is de- 
noted t > t. Now having chosen a minimal Weierstrass equation for E/K, we 
can reduce its coefficients modulo z to obtain a (possibly singular) curve over 
k, namely 


E:y? + G,xy + dgy =x? + Gx? + Gyx + dg. 
The curve E/K is called the reduction of E modulo x. From (1.3b), since we 
started with a minimal equation for E, the equation for E is unique up to the 
standard change of coordinates (III.3.1b) for Weierstrass equations over k. 
Next let Pe E(K). We can find homogeneous coordinates P = [X9, Yo, Zo] 

with Xo, Yo, Zo € R and at least one of xo, Yo, Zp in R*. Then the reduced point 
P = [%o, Vos Zo] is in E(k). This gives a reduction map 

E(K) > E(k) 

PP. 

(More generally, one can similarly define a reduction map 

P"(K) + P"(k). 


The above map is just its restriction to E(K) < P?(K).) 

Now the curve E/K may or may not be singular (more on this later), but 
recall (III.2.5) that in any case its set of non-singular points, denoted E,,(k), 
forms a group. We define two subsets of E(K) as follows: 


E,(K) = {Pe E(K): PeE,,(k)}; 
E,(K) = {Pe E(K): P = 0}. 
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In words, E,(K) is the set of points with non-singular reduction, and E,(K) is 
the kernel of reduction. From (1.3b), they do not depend on which minimal 
Weierstrass equation we choose. 


Proposition 2.1. There is an exact sequence of abelian groups 
0 — E,(K) > E,(K) > E,,(k) > 0, 


where the right-hand map is reduction modulo 1. 


Proor. The group laws on E(K) and E,,,(k) are defined by taking the inter- 
section of the curve with lines in P?. Since the reduction map P?(K) > 
P?(k) takes lines to lines, it follows that E)(K) is a group, and that the map 
E,(K) — E,,(k) is a homomorphism. Exactness at the left and center now 
comes directly from the definition of E,(K). 

It remains to show that the reduction map is surjective. This will follow 
from Hensel’s lemma and the completeness of K. Thus let 


f(x, y) = y? + ayxy + a3y — x° — a,x? — ayx — ag =0 

be a minimal Weierstrass equation, f(x, y) the corresponding polynomial 
with coefficients reduced modulo z, and P = (a, B)eE,,(k) any point. Since P 
is a non-singular point of E, we know that either 

iar of = 

F py #0 or F py #0, 

Ox oy 
say the former. (The other case is entirely similar.) Choose any ypéR with 
Jo = B, and look at the equation 


F(%, Yo) = 9. 


When reduced modulo z, this equation has a as a simple root, since 
(Af /Ax)(a, fo) # 0. Hence by Hensel’s lemma ([La 2, Ch. II, Prop. 2]), the root 
a can be lifted to an x) € R such that X) = a and f(xo, yo) = 0. Then the point 
P = (Xo, Yo) € Eo(K) reduces to P. oO 


Note that if v(A) = 0, so A 4 0, then £ is non-singular, E,, = E, and so 
E,(K) = E(K). In this case (2.1) says that E(K) is built up from two pieces, 
E,(K) and E(k). Now E(k) is the set of points on an elliptic curve defined over 
a smaller field; and we will often consider the case where k is a finite field, a 
situation analyzed in some detail in chapter V. 

On the other hand, the following proposition shows that E,(K) is also an 
object with which we are already familiar. 


Proposition 2.2. Let E/K be given by a minimal Weierstrass equation, let E/R 
be the formal group associated to E (IV.2.2.3), and let w(z)€ R[z] be the power 
series from (IV.1.1). Then the map 
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E(M) > E,(K) 


( 1 
we’ ~<a) 


is an isomorphism. (We understand that z = 0 goes to O. For the definition of 
the group E(.M), see (IV §3).) 


Proor. From (IV.1.1b) the point (z/w(z), —1/w(z)), when considered as a 
pair of power series, satisfies the Weierstrass equation for E. Since w(z) = 
2(1+-::)eR[z], it follows that w(z) converges for any ze./@. Hence 
(z/w(z), —1/w(z)) is in E(K) for ze.@, and since v(—1/w(z)) = —3v(z), it is 
even in E,(K). Thus we have a well-defined map 


E(M) > E,(K) 
z — (z/w(z), — 1/w(z)). 


Further, in deriving the power series giving the group law on E£, we simply 
used the group law on E (in the (z, w)-plane) and then replaced w by w(z). 
Therefore the map is a group homomorphism. Since w(z) = 0 only for z = 0, 
it is injective, so it remains to show that the image is all of E,(K). 

Let (x, y)€ E,(K). Since (x, y) reduces modulo z to the point at infinity on 
E(k), we see that v(x) < 0 and v(y) < 0. But then from the Weierstrass equa- 
tion y? + --- = x3 +++, we must have 


3v(x) = 2v(y) = —6r 
for some integer r > 1. Hence x/ye.@, so the map 
E,(K) > E() 
(x, y) > —x/y 


is well-defined. Again because the group law on E(.@) is defined by using the 
group law on E, this map is a homomorphism; and it is clearly injective. 
Hence we have two injections 


E(M) > E,(K) > E(@) 


whose composition is the identity, so they are isomorphisms. | 


§3. Points of Finite Order 


In this section we analyze the points of finite order in the group E(K). 
Although we will prove a stronger result below (3.4), we start with the follow- 
ing easy proposition, which will provide a crucial ingredient in the proof of 
the weak Mordell—Weil theorem (VIII.1.1). 
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Proposition 3.1. Let E/K be an elliptic curve and m 2 | an integer relatively 
prime to char(k). 

(a) The subgroup E,(K) has no non-trivial points of order m. 

(b) If the reduced curve E/K is non-singular, then the reduction map 


E(K)[m] > E(k) 
is injective. (Here E(K)[m] denotes the set of points of order m in E(K).) 


ProorF. From (2.1) we have an exact sequence 
0 — E,(K) > Eo(K) > E,,(k) > 0. 


But from (2.2), E,(K) = E£(@), where E is the formal group associated to E; 
and from our general result on formal groups (IV.3.2b), E(.Z) has no non- 
trivial elements of order m. This proves (a). Now if £ is non-singular, then 
E,(K) = E(K) and E,,(k) = E(k), so the m-torsion in E(K) injects into E(k), 
which proves (b). oO 


Application 3.2. The above proposition (3.1) generally provides the quickest 
method for finding the torsion subgroup of an elliptic curve defined over a 
number field. Thus let K be a number field and K, the completion of K at 
some discrete valuation v. Then clearly E(K) injects into E(K,), so by apply- 
ing (3.1) for several differents v’s, one can obtain information about the 
torsion in E(K). We illustrate with several examples over Q. 


Example 3.3.1. Let E/Q be the elliptic curve 
E:y?+y=x3-x41. 


Its discriminant A = —643 is prime, so E(modulo 2) is non-singular. One 
easily checks that E(F,) = {0}, hence from (3.1) we conclude that E(Q) has 
no non-zero torsion points. 


Example 3.3.2. Let E/Q be the elliptic curve 
E:y?=x3 +3. 
Its discriminant is A = —3°2*, so E(modulo p) is non-singular for every 
p > 5. One easily checks that 
#E(F;)=6 and #E(F,) = 13. 


Hence E(Q) can have no non-trivial torsion. In particular, the point 
(1,2) € E(Q) has infinite order, and so E(Q) is an infinite set, two facts which 
are by no means obvious. (For the complete analysis of the rational torsion 
points on the curves y* = x° + D with DeZ, see [Fue] or exer. 10.19.) 


Example 3.3.3. Let E/Q be the elliptic curve 
E:y?=x3 +x, 
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whose discriminant is A = —32. The point (0,0) ¢ E(Q) is a point of order 2. 
We compute 


#E(F3)=4 #E(Fs)=4 #E(F,)=8. 


As can easily be checked (exer. 5.12), # E(F,) is divisible by 4 for every p > 5. 
But suppose we look at the actual groups, 


E(F3) = {O, (0,0), (2,1), (2,2)}, 
E(F5) = {0, (0,0), (2,0), (3,0)}. 
Now a point of E has order 2 if and only if its y-coordinate is zero. Hence 
E(F;)= Z/4Z and E(F5) = (Z/2Z)?, 


so (0,0) is the only torsion point in E(Q). 

The next result, due to Cassels, gives a precise bound for the denominator 
of a torsion point. Following Katz—Lang ([La 5, Thm. III.3.7]), we give a 
proof based on general facts concerning formal groups. For an exposition of 
Cassel’s original proof, which involves a careful analysis of division poly- 
nomials, see [Ca 1, Thm. 17.2] or [La 5, Thm. III.1.5]. 


Theorem 3.4, Assume char(K) = 0 and p = char(k) > 0. Let E/K be an elliptic 
curve given by a Weierstrass equation 


E:y? +a,xy + a3y =Xx> + a,x? + ax + dg 


with all a,e R. (N.B. The equation need not be minimal.) Let P € E(K) be a point 
of exact order m > 2. 
(a) If m is not a power of p, then x(P), y(P)eR. 
(b) If m = p", then 
nm x(P), 7" y(P)eR with r= | ne 


n n-1 


p—p 
(Here [  ] is greatest integer.) 


Proor. If the equation for EF is not minimal, and (x’, y’) are coordinates for a 
minimal equation, then from (1.3d) we see that 


v(x(P)) > v(x'(P)) and v(y(P)) > v(y'(P)). 


It thus suffices to prove the theorem for a minimal Weierstrass equation. 
If x(P)eR there is nothing to prove, so we assume v(x(P)) < 0. Then from 
the Weierstrass equation we see that 


3v(x(P)) = 2v(y(P)) = —6s for some integer s > 1. 


Further, P is in E,(K), the kernel of the reduction map, so under the isomor- 
phism of (2.2) it corresponds to the element — x(P)/y(P) in the formal group 
E(.@). But from (IV.3.2b), E(.@) contains no torsion of order prime to p, 
which proves (a). 
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To prove (b) we use (IV.6.1). Since —x(P)/y(P) has exact order p" in E(.”), 
it follows from (IV.6.1) that 


s = o(—x(P)/y(P)) < v(p)/(p" — p"”’). 


Since 25 x(P) and 2** y(P) are in R, this gives the desired result. Oo 


Application 3.5. Let E/Q be an elliptic curve given by a Weierstrass equation 
having coefficients in Z. Let Pe E(Q) be a point of exact order m. By embedd- 
ing E(Q) into E(Q,) for various primes p, we deduce integrality conditions 
on the coordinates of P. Thus if m is not a prime power, then (3.4a) implies 
x(P), y(P)eZ. But even if m= p" for some prime p corresponding to a 
normalized valuation v, we have 


[v(p)/(p" — p"*)] = [1(p" — p™*)] = 0 
unless p = 2 and n= 1. We conclude that x(P), y(P)eZ for every torsion 
point Pe E(Q) of exact order m > 3. This is best possible, as the example 
E:y?+xy=x3+x+1  (—1/4,1/8)eE(Q) [2] 


shows. For a further discussion of torsion points over number fields, see 
(VIII §7). 


§4. The Action of Inertia 


In this section we will reinterpret the injectivity of torsion (3.1b) in terms of 
the action of Galois. We set the following notation: 


Kk" the maximal unramified extension of K, 
I, the inertia subgroup of Gg). 


Since the unramified extensions of K correspond to the extensions of the 
residue field k, Gg)x has a decomposition 


1 > Gg )qnr > GgK > Gxnrjx > 1 
I I 
dy Gin 


In words, the inertia group I, is the set of elements of Gg)x which act trivially 
on the residue field k. (For these basic facts about local fields, see e.g. [Fré §7] 
or [La 2, Ch. I, If]. Remember that K and k are both assumed to be perfect.) 


Definition. Let £ be a set on which Gg,x acts. We say that & is unramified at v 
if the action of I, on & is trivial. 


Recall that if E/K is an elliptic curve, then we have seen (III §7) that Gg/x 
acts on the torsion subgroups E[m] and the Tate modules T(E) of E. 
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Proposition 4.1. Let E/K be an elliptic curve, and suppose that the reduced 
curve E/k is non-singular. 

(a) Let m > 1 be an integer relatively prime to char(k) (i.e. v(m) = 0). Then 
Em] is unramified at v. 

(b) Let ¢ # char(k) be a prime. Then T,(E) is unramified at v. 


ProoF. (a) Take a finite extension K'/K so that E[m] < E(K’), and let 
R’ =ring of integers of K’ 
M' = maximal ideal of R’ 


k’ = residue field of R’ = R'/.Z’ 


fa 


v’ = valuation on K’. 


By assumption, if we take a minimal Weierstrass equation for E at v, then its 
discriminant A satisfies v(A) = 0 (since E/k is non-singular.) But v’ restricted 
to K is just a multiple of v, so v'(A) = 0. Hence the Weierstrass equation is 
also minimal at v’, and E/k’ is non-singular. Now (3.1b) implies that the 
reduction map 


E[m] > E(k’) 
is injective. 
Let cel, and Pe E[m]. We must show that P’ = P. From the definition of 
the inertia group, o acts trivially on E(k’), so 


pe — P= Pe — P= 0. 


But P’ — P is clearly in E[m], so from the injectivity proven above we 

conclude P° — P = O. 

(b) This follows immediately from (a) and the definition T,(E) = Lim E[?¢"]. 
OC] 


There is a converse to this proposition, known as the criterion of Néron- 
Ogg-—Shafarevich, which characterizes when E/k is non-singular in terms of 
the action of the inertia group on torsion points. We will return to this in 
section 7, after first studying the reduced curve E more closely. 


§5. Good and Bad Reduction 


Let E/K be an elliptic curve. Then from our general knowledge of Weierstrass 
equations (III.1.4), the reduced curve E is one of three types. We classify E 
according to these possibilities. 


Definition. Let E/K be an elliptic curve, and let E be the reduced curve for a 
minimal Weierstrass equation. 
(a) E has good (or stable) reduction over K if E is non-singular. 
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(b) E has multiplicative (or semi-stable) reduction over K if E has a node. 

(c) E has additive (or unstable) reduction over K if E has a cusp. 

In cases (b) and (c), E is naturally said to have bad reduction. If E has 
multiplicative reduction, then the reduction is said to be split (respectively 
non-split) if the slopes of the tangent lines at the node are in k (respectively 
not in k). 


It is quite easy to read off the reduction type of an elliptic curve from a 
minimal Weierstrass equation. 


Proposition 5.1. Let E/K be an elliptic curve with minimal Weierstrass equation 
y? + ayxy + a3y = x? + a,x? + agx + dg. 


Let A be the discriminant of this equation and c, the usual combination of the 
a;’s (cf. IIT §1). 
(a) E has good reduction if and only if v(A) = 0 (i.e. AE R*). In this case E/k is 
an elliptic curve. 
(b) E has multiplicative reduction if and only if v(A) > 0 and v(c,) = 0 (i.e. 
Ae.M and c,€ R*). In this case E,,, is the multiplicative group, 

E(k) = k*. 
(c) E has additive reduction if and only if v(A)>0 and v(c,)>0 (ie. 
A, c4€.M). In this case E,,, is the additive group, 


E(k) & kt. 

Proor. The type of reduction for E follows from (III.1.4) applied to the 
reduced Weierstrass equation E over the field k. Then the group E,,,(k) is 
given by (III.2.5). 
Example 5.2. Let p > 5 be a prime. Then the elliptic curve 

E,: y*? =x? + px? +1 
has good reduction over Q,,, while 

E,:y=x3+x?+p 
has (split) multiplicative reduction over Q,, and 

E,:y?=x3+p 

has additive reduction over Q,. Notice that E; has good reduction over 
Q o(</P), since the given equation is then not minimal. (Make the substitution 
x=3/px', y= 2/p y’.) On the other hand, E, still has multiplicative reduc- 
tion over any extension of Q,. This is in fact true in general; after extending 


the ground field, additive reduction turns either multiplicative or good, while 
the latter two do not change. (See (5.4) below.) This suggests the origins of the 
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99 66 99 66. 


terms “stable”, “semi-stable”, “unstable”, although they do have quite precise 
definitions in terms of the stability of points on moduli space. (For a high- 
powered account of the general theory, see [M-—F].) 

Even if an elliptic curve E/K has bad reduction, it is often useful to know 
whether it attains good reduction over some extension of K. We give this 
property a name. 


Definition. Let E/K be an elliptic curve. E has potential good reduction over 
K if there is a finite extension K’/K so that E has good reduction over K’. 


Example 5.3. If K is a finite extension of Q,, and if E/K has complex multi- 
plication, then E has potential good reduction. (See exer. 7.10.) 

The next result explains how reduction type behaves under field extension, 
and the one immediately following provides a useful characterization of when 
an elliptic curve has potential good reduction. 


Proposition 5.4 (Semi-stable reduction theorem). Let E/K be an elliptic curve. 
(a) Let K'/K be an unramified extension. Then the reduction type of E over K 
(i.e. good, multiplicative, or additive) is the same as the reduction type of E over 
K’. 

(b) Let K’'/K be any finite extension. If E has either good or multiplicative 
reduction over K, then it has the same type of reduction over K’. 

(c) There exists a finite extension K'/K so that E has either good or (split) 
multiplicative reduction over K’. 


Proposition 5.5. Let E/K be an elliptic curve. Then E has potential good 
reduction if and only if its j-invariant is integral (i.e. if j(E)€ R). 


Proor oF (5.4). (a) For arbitrary K this follows from Tate’s algorithm [Ta 6]. 
We will assume char(k) > 5, so E has a minimal Weierstrass equation over 
K of the form 


E:y?=x3+Ax+B. 
Let R’ be the ring of integers in K’, v’ the valuation on K’ extending v, and 
x=(Px’ y= u'py’ 


a change of coordinates producing a minimal equation for E over K’. Since 
K'/K is unramified, we can find ue K with (u/u’) €(R’)*. Then the substitution 


xa pS uy! 
also gives a minimal equation for E/K’, since 
v'(u~17A) = v'((u’) 17 A). 


But this new equation has coefficients in R, so by the minimality of the 
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original equation over K, we have v(u) = 0. Hence the original equation is 
also minimal over K’. Since v(A) = v’(A) and v(c,) = v’(c4), using (5.1) we see 
that E has the same reduction type over K and K’. 

(b) Take a minimal Weierstrass equation for E over K, with corresponding 
quantities A and c,. Let R’ be the ring of integers in K’, v’ the valuation on K' 
extending v, 


x=urx’+r  y=uy’+su?x'+t 
a change of coordinates giving a minimal Weierstrass equation for E over K’. 
For this new equation the associated A’ and cj, satisfy 
0<v(A)=v'(u-'7A) and 0<v(c4) = v'(u-*c,). 
From (1.3d) we also have ue R’, hence 
0 < v'(u) < min{z0'(A), }0'(c,)}. 


But for good (resp. multiplicative) reduction we have v(A) = 0 (resp. v(c4) = 0) 
(5.1a, b), so in both cases v’(u) = 0. Hence 

v'(A’) = v'(A) and v'(c4) = v'(c4), 
so again using the characterization in (5.1), E has good (resp. multiplicative) 
reduction over K’. 


(c) We assume char(k) 4 2, and extend K so that E has a Weierstrass equa- 
tion in Legendre normal form (III.1.6) 


E:y? = x(x — 1)(x — A), A #0, 1. 
(For char(k) = 2, see (A.1.4a).) For this equation, 
Cc, = 16(47-—A+1) and A= 16A2(A — 1). 
We consider three cases. 


Case 1. 4€R, A # 0, 1 (mod .4). Then Ac R*, so the given equation has good 
reduction. 


Case 2. AER, A4=0 or 1 (mod .@). Then Ae.@ and c,e R*, so the given 
equation has (split) multiplicative reduction. 


Case 3. A¢ R. Choose the integer r > 1 so that n"Ae R*. Then the substitu- 
tion x = 2-"x', y = n>" y’ (where we replace K by K(x”) if necessary) gives 
a Weierstrass equation 

(y)? = x'(x' — n(x! — 7A) 


for E with integral coefficients, A’ e , and c,€ R*, so E has (split) multiplica- 
tive reduction. 
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ProorF oF (5.5). As above, we assume char(k) # 2 and extend K so that E has 
a Weierstrass equation in Legendre form (III.1.6) 


E:y?=x(x—1)(x—A), A#0,1. 


(For char(k) = 2, see (A.1.4b).) By assumption, j = j(E)€ R; and / is related to 
j by 


(1 — A(t — A))3 — ja? — A)? = 0. 
From this equation and the integrality of j it is immediate that 
AER and A#0or1(mod.4), 


so the given Legendre equation has integral coefficients and good reduction. 

Conversely, suppose E has potential good reduction. Let K’/K be a finite 
extension so that E has good reduction over K’, let R’ be the ring of integers 
of K’, and let A’ and c/, be the quantities associated to a minimal Weierstrass 
equation for E over K’. Since E has good reduction over K’, we have 
A’ e(R’)*, and hence 


HE) = (C4) /A' ER. 
But j(E)e K, since E is defined over K, hence j(E)e R. O 


§6. The Group E/E, 


Recall that the group E,(K) consists of those points of E(K) whose reduction 
to E(k) is not a singular point. Further, from (2.1), E)(K) is made up of two 
pieces that we have analyzed fairly closely, namely E,,(k) and the formal 
group E,(K) = E(@). We are left to study the remaining piece, the quotient 
E(K)/Eo(K). 

The most important fact about this quotient is that it is finite. As the 
theorem given below indicates, one can actually say quite a bit more. Unfor- 
tunately, a direct proof, working explicitly with Weierstrass equations, is 
quite lengthy. Since even the simplifying assumption char(k) > 5 leads to a 
long case-by-case proof, we will not give one here (but see exer. 7.7). If the 
residue field k is finite, then the mere finiteness of E(K)/E)(K) can be proven 
by an easy compactness argument (exer. 7.6). 


Theorem 6.1 (Kodaira, Néron). Let E/K be an elliptic curve. If E has split 
multiplicative reduction over K, then E(K)/E,(K) is a cyclic group of order 
v(A) = —v(j). In all other cases, E(K)/Eo(K) is a finite group of order at 
most 4. 


Corollary 6.2. The subgroup E,(K) is of finite index in E(K). 
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Proor. The finiteness of E(K)/E)(K) follows from the existence of the Néron 
model, which is a group scheme over Spec(R) whose generic fiber is E/K. The 
specific description of E(K)/E )(K) comes from the complete classification of 
the possible special fibers of a Néron model. One can also give an elementary 
(but lengthy) proof by doing explicit computations using Weierstrass equa- 
tions. See (C §15) for a further discussion oO 


Our most important application of (6.2) will be in the proof of the criterion 
of Néron—Ogg-Shafarevich, which we give in the next section. Another inter- 
esting application is the following. 


Proposition 6.3. Let K be a finite extension of Q, (so char(K) = 0 and k is a 
finite field). Then E(K) contains a subgroup of finite index which is isomorphic 
to R* (i.e. taken additively). 


Proor. From (6.2), E(K)/Eo(K) is finite; and from (2.1), Ey(K)/E,(K) is iso- 
morphic to E,,(k), which is finite since k is finite. Hence it suffices to prove 
that E,(K) has a subgroup of finite index isomorphic to R*. Now E,(K) is 
isomorphic to the formal group E(/) (2.2). Further, from (IV.3.2a), E(.@) has 
a filtration 


E(M) > E(M’) > E(M?) > 


and each quotient E(#')/E(.“@‘*) is isomorphic to .4'/.4'*, which is also 
finite since k is finite. Finally, for an appropriate r (IV.6.4b), the formal 
logarithm map provides an isomorphism 


EM) 3 M ='R (taken additively), 


which gives the desired result. O 


§7. The Criterion of Néron—Ogg—Shafarevich 


If an elliptic curve E/K has good reduction, and m > 1 is an integer prime to 
char(k), then we have seen that the torsion subgroup E[m] is unramified (4.1). 
Various partial converses were proven by Néron, Ogg, and Shafarevich, and 
these were vastly generalized by Serre and Tate. We follow the exposition in 
[S-T]. 


Theorem 7.1 (Criterion of Néron—Ogg-Shafarevich). Let E/K be an elliptic 
curve. The following are equivalent. 


(a) E has good reduction over K. 

(b) E[m] is unramified at v for all integers m > 1 relatively prime to char(k). 
(c) The Tate module T,(E) is unramified at v for some (all) primes ¢ with 
¢ # char(k). 
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(d) E[m] is unramified at v for infinitely many integers m > 1 relatively prime 
to char(k). 


Proor. We have already proven (a) => (b) (4.1), and clearly (b) = (c) > (d). 
(Note that T,(E) being unramified is the same as E[?"] being unramified for 
all n > 1.) It remains to prove that (d) implies (a). 

Assume (d) holds. Let K” be the maximal unramified extension of K. 
Choose an integer m satisfying 


(i) mis relatively prime to char(k); 
(ii) m> #E(K")/E.(K™); 
(iii) E[m] is unramified at v. 


Such an m exists, since we are assuming (d), and E(K")/E)(K”) is finite from 
(6.2). 
Now consider the two exact sequences 


0 > E,(K”) > E(K”) > E(K™)/E,(K") > 0 
0 > E,(K™) > Eo(K") > E,,.(k) + 0. 


(Note k is the residue field of the ring of integers in K”’.) Since E[m] < E(K”), 
we see that E(K") has a subgroup isomorphic to (Z/mZ)*. But from (ii), 
E(K"")/E)(K"") has order strictly less than m. It follows from the first exact 
sequence that we can find a prime ¢ dividing m so that E)(K”) contains a 
subgroup (Z//Z)?. Now look at the second exact sequence. From (3.1a), 
E,(K™) has no non-trivial ¢-torsion, so we conclude that E,,(k) has a sub- 
group isomorphic to (Z/¢Z)’. 

Now suppose that E has bad reduction over K"”. If the reduction is multi- 
plicative, then from (5.1b), 


E,s(k) = (k)*s 
but then the /-torsion in E,,(k) would be Z//Z. Hence this type of reduction 
cannot occur. Similarly, if E has additive reduction over K”, then from (5.1c), 


E(k) =k (taken additively), 


which has no ¢-torsion at all. This eliminates multiplicative and additive 
reduction as possibilities, so all that remains is for E to have good reduction 
over K"". Finally, since K™/K is unramified, we conclude (5.4a) that E has 
good reduction over K. fe} 


Corollary 7.2. Let E,, E,/K be elliptic curves which are isogenous over K. Then 
either they both have good reduction over K, or neither one does. 


Proor. Let ¢: E, > E, be a non-zero isogeny defined over K, and let m > 2 
be an integer relatively prime to both char(k) and deg ¢. Then the induced map 


¢: E,[m] > E,[m] 
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is an isomorphism of Gg,x-modules, so in particular either both are unrami- 
fied at v, or neither one is. Now use (7.1, a<>d). oO 


Another immediate corollary of (7.1) is a criterion, in terms of the action of 
inertia, for when an elliptic curve has potential good reduction. 


Corollary 7.3. Let E/K be an elliptic curve. Then E has potential good reduc- 
tion if and only if the inertia group I, acts on the Tate module T,(E) through a 
finite quotient for some (all) prime(s) ¢ # char(k). 


Proor. Suppose E has potential good reduction. Then there is a finite exten- 
sion K’/K so that E has good reduction over K’. Extending K’, we may 
assume K’/K is Galois. Let v’ be the valuation on K’ and I,, the inertia group 
of K’. From (7.1), I, acts trivially on T(E) for any ¢ 4 char(k). Hence the 
action of I, on T;(E) factors through the finite quotient I,,/I,,. This proves one 
implication. 

Assume now that for some ¢ # char(k), I, acts on T/(E) through a finite 
quotient, say I,/J. Then the fixed field of J, which we denote K’, is a finite 
extension of K” = K!», Hence we can find a finite extension K’/K so that K? 
is the compositum 


K! = K'K"™. 
Then the inertia group of K’ is equal to J, and by assumption J acts trivially 
on T,(E). Now (7.1) implies that E has good reduction over K’. Oo 
EXERCISES 


7.1. Assume that char(k) # 2,3. 
(a) Let E/K be an elliptic curve given by a Weierstrass equation with coeffi- 
cients a;¢R. Prove that the equation is minimal if and only if either 
v(A) < 12 or v(c4) < 4. 
(b) Let E/K be given by a minimal Weierstrass equation of the form 


E:y?=x3+Ax+B. 


Prove that E has 

(i) good reduction <> 4A? + 27B7e R*; 

(ii) multiplicative reduction <> 443 + 27B?e.M and ABe R*; 
(iii) additive reduction > A, Be.@. 


7.2. Let E/K be an elliptic curve with j-invariant j(E)¢R. Prove that the minimal 
discriminant A of E satisfies 


v(A) < 12 + 12v(2) + 6v(3). 
7.3. Describe all Weierstrass equations 


E:y? + a,xy + a3y =x? + a,x? + a,x + dg 
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with a,eZ and A #0 for which E(Q) contains a torsion point P satisfying 
x(P)¢Z. [Hint: cf. (3.5).] 


Let E/K be an elliptic curve given by a minimal Weierstrass equation, and 
define subsets of E(K) by 


E,(K) = {P € E(K) : v(x(P)) < —2n} U {0}. 


(a) Prove that each E,(K) is a subgroup of E(K). 
(b) Prove that for n > 1, 


E,(K)/En+1(K) = ke 


Show that the following elliptic curves have good reduction over the indicated 
field by writing down a minimal Weierstrass equation over that field. 

(a) E:y?=x3+x Q,(n), 2° = 2. 

(b) E:y?+y=x3 Q, (nx), x* = 3. 

(c) E:y?=x3+x*?-—3x-2 Q(x), n*=5. 


Assume that K is locally compact for the topology induced by the discrete 
valuation v. (This is equivalent to the assumption that k is finite, cf. [Ca 8, §7].) 
The following steps provide a proof of (6.2) for such fields. 

(a) Use v to define a topology on P*(K), and show that P*(K) is compact for 
this topology. 

(b) Let E/K be an elliptic curve and E(K) < P?(K) the inclusion coming from a 
minimal Weierstrass equation. Prove that with the induced topology, E(K) 
is compact; and that the translation map tp: E(K) > E(K) is continuous for 
any Pe E(K). 

(c) Prove that E)(K) is an open subset of E(K). (It is also a closed subset!) 

(d) Prove that E(K)/E)(K) is finite. 


The following examples illustrate some special cases of (6.1). We assume 
throughout that char(k) 4 2, 3. Let E/K be an elliptic curve given by a Weier- 
strass equation 


E:y?=x3+Ax+B. 


(a) If v(A) > 1 and v(B) = 1, then E(K) = E,(K). 
(b) If v(A) = 1 and v(B) > 2, then E(K)/E)(K) = Z/2Z. 

[Hint: If P, Q ¢ E,(K), use the addition formula to show that P + Qe E,(K).] 
(c) If v(A) > 2 and v(B) = 2, then E(K)/Ep(K) is either 0 or Z/3Z. 


Let E/K be an elliptic curve and m an integer relatively prime to char(k). Prove 
that 


Eo(K™)/mE9(K) = 0. 


Let E/K be an elliptic curve with potential good reduction, let m > 3 be an 

integer relatively prime to char(k), and let K(E[m]) be the field obtained by 

adjoining to K the coordinates of the points of E[m]. 

(a) Prove that the inertia group of K(E[m])/K is independent of m. [Hint: For 
each prime ¢ ¥ char(k), let “ =? if ¢ > 3 and ¢ =4 if ¢ = 2. Show that 
p/(I,) has trivial intersection with the kernel of the map 


Aut(T,(E)) > Aut(T,(E)/¢’ T(E) = GL(Z/¢"Z). 
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Characterize the inertia group of K(E[m])/K in terms of the kernels of the 
various p,’s. ] 
(b) Prove that K(E[m])/K is unramified if and only if E has good reduction at v. 
(c) Prove that K(E[m])/K is tamely ramified if char(k) > 3. 


7.10. Let K bea finite extension of Q,, R the ring of integers of K, and E/K an elliptic 
curve with complex multiplication. Prove that j(E)¢R. [Hint: Use the descrip- 
tion of the maximal abelian extension K® of K provided by local class field 
theory to prove that the action of Gaz on T(E) factors through a finite 
quotient. Then apply (exer. 3.24), (7.3), and (5.5).] 


7.11. Use (exer. 3.21) to prove (5.4c) and (5.5) in characteristic 2. 


CHAPTER VIII 
Elliptic Curves over Global Fields 


Let K be a number field and E/K an elliptic curve. Our main goal in this 
chapter is to prove the following result. 


Mordell—Weil Theorem. The group E(K) is finitely generated. 


The proof of this theorem consists of two quite distinct parts, the so-called 
“weak Mordell—Weil theorem” (§1) and the “infinite descent” using height 
functions (§3, 5, 6). We also give a separate proof of the descent step in the 


simplest case (§4), where the general theory of height functions can be re- 
placed by explicit polynomial calculations. 


From the Mordell— Weil theorem we see that the Mordell—Weil group E(K) 
has the form 


E(K) = Ejos(K) x Z", 


where the torsion subgroup E,,,,(K) is finite and the rank r of E(K) is a non- 

negative integer. For any given elliptic curve, it is possible to describe quite 

precisely the torsion subgroup (§7). The rank is much more difficult to com- 

pute, and in general there is no known procedure which is guaranteed to 

yield an answer. We will return to this question in more detail in chapter X. 
The following notation will be used for the next three chapters. 


K a number field 

Mx a complete set of inequivalent absolute values on K 
Mf the archimedean absolute values in Mx 

Me the non-archimedean absolute values in Mx 

v(x) = —log|x|, for absolute values vé Mx 


ord, © normalized valuation for ve Mg (ie. ord,(K*) = Z) 
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R the ring of integers of K = {xe K : v(x) > 0 for all ve Mg} 
R* the unit group of R = {xe K : v(x) = 0 for all ve Mg} 
K, the completion of K at v for ve Mg 


R,, 4,, k, the ring of integers, maximal ideal, and residue field asso- 
ciated to K, for ve MP. 


Finally, in those situations where it is important to have the absolute values 
in M, coherently normalized, such as the theory of height functions, we will 
always adopt the “standard normalization” as described in section 5. 


§1. The Weak Mordell—Weil Theorem 


Our goal in this section is to prove the following result. 


Theorem 1.1 (Weak Mordell—Weil Theorem). Let K be a number field, E/K 
an elliptic curve, and m > 2 an integer. Then 


E(K)/mE(K) 
is a finite group. 


For the rest of this section, E/K and m will be as in the statement of (1.1). 
We start with the following reduction lemma. 


Lemma 1.1.1. Let L/K be a finite Galois extension. If E(L)/mE(L) is finite, 
then E(K)/mE(K) is also finite. 


Proor. Let ® be the kernel of the natural map E(K)/mE(K) > E(L)/mE(L). 
Thus 
® = (E(K)NmE(L))/mE(K), 


so for each P (mod mE(K)) in ®, we can choose a point Qp¢E(L) with 
[m]Qp = P. (Qp need not be unique, of course.) Having done this, we define a 
map of sets (which is not in general a group homomorphism) 


Ap: Gix > E[m], Ap(a) = Qe — Qp. 
(Notice that 0% — Q> is in E[m], since 
[m](Qe — Qp) = (Lm]Qp)’ — [m]Qp = P*? — P=O. 


The map Ap is actually a 1-cocycle; see section 2.) 
Suppose now that Ap = Ap. for two points P, P’e E(K) 0 mE(L). Then 


(Qp—Qp)”>=Qp—Qp _ forall ceG,)x, 
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so Op — Qp.€ E(K). Therefore 
P — P’ =[m]Q> — [m]Qp-€mE(k), so P = P’ (mod mE(k)). 
This proves that the association 
D> Map(G,)x,E[m]),  P- Ap, 


is one-to-one. But G,), and E[m] are finite sets, so there are only a finite 
number of maps between them. Therefore ® is finite. 
Finally, the exact sequence 


0-> © > E(K)/mE(K) > E(L)/mE(L) 
nests E(K)/mE(K) between two finite groups, so it too is finite. Oo 


In view of (1.1.1), it suffices to prove the weak Mordell—Weil theorem (1.1) 
under the additional assumption that 


E[m] < E(K). 


For the remainder of this section we will assume, without further comment, 
that this inclusion is true. 

The next step is to translate the putative finiteness of E(K)/mE(K) into a 
statement about a certain field extension of K. For this purpose, we use the 
following tool. 


Definition. The Kummer pairing 
K: E(K) x Gx > E[m] 


is defined as follows. Let Pe E(K), and choose any Q¢E(K) satisfying 
[m]Q = P. Then 


K(P, 0) = Q° —Q. 


Proposition 1.2. (a) The Kummer pairing is well-defined. 

(b) The Kummer pairing is bilinear. 

(c) The kernel of the Kummer pairing on the left is mE(K). 

(d) The kernel of the Kummer pairing on the right is Gg), where 
L= K([m]*E(K)) 


is the compositum of all fields K(Q) as Q ranges over the points of E(K) 
satisfying [m]Q € E(K). 
Hence the Kummer pairing induces a perfect bilinear pairing 


E(K)/mE(K) x G,)x > E[m], 
where L is the field given in (d). 


Proor. Most of this proposition follows immediately from basic facts con- 
cerning group cohomology. (See section 2.) We will give a direct proof here. 
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(a) We must show that «(P, o) is in E[m] and does not depend on the choice 
of Q. For the former, 


[m]«(P, 0) = [m]Q° — [m]Q = P’— P=0, 


since Pe E(K) and o fixes K. For the latter, note that any other choice has the 
form Q + T for some Te E[m]. Then 


(Q+TY’—-Q+T)=Q°+T’-Q-T=Q'-Q, 


because by assumption E[m] < E(K), so a fixes T. 
(b) The linearity in P is obvious. For the other side, let 0, t€ Ggjx. Then 


K(P, ot) = 0" — 0 =(Q° — OF + O —Q=K(P, of + K(P, 2). 

But x(P, o)¢ E[m] is contained in E(K), so it is fixed by t. 
(c) Suppose P €mE(K), say P = [m]Q with Qe E(K). Then any oe€ Gg,x fixes 
Q, so 

K(P, o) = 0° --Q=0. 
Conversely, suppose «(P, o) = O for all o€ Gx. Thus choosing Qe E (K) 
with [m]Q = P, we have 

Q°=Q for all o € Ggix. 

Therefore Q € E(K), so P = [m]QemE(K). 
(d) Suppose o € Gg),. Then 

K(P, 0) = Q7 -Q=0, 


since Qe E(L) from the definition of L. Conversely, suppose o€ Gg)x and 
«(P, o) = O for all Pe E(K). Then for every Q € E(K) satisfying [m]Q € E(K), 


O = k([m]Q, 0) = Q’ -Q. 
But L is the compositum of K(Q) over all such Q, so a fixes L. Hence o € Gg. 
Finally, the last statement of (1.2) is clear from what precedes it, once we 


note that L/K is Galois because Gg,, takes [m]~'E(K) to itself. (Alternatively, 
from (d), Gx), is the kernel of the homomorphism 


Ggix = Hom(E(K), E[m)}), o- K(- ’ 6), 


so it is a normal subgroup.) Ol 


Using (1.2), we see that the finiteness of E(K)/mE(K) is equivalent to the 
finiteness of the extension L/K. The next step is to analyze this extension. 
Our main tool will be (VIL3.1), which we restate after making appropriate 
definitions. 


Definition. Let K be a number field and E/K an elliptic curve. Let ve My bea 
discrete valuation (i.e. ve Mg). Then E is said to have good (respectively bad) 
reduction at v if E has good (respectively bad) reduction when considered 
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over the completion K, (cf. VII §5). Taking a minimal Weierstrass equation 
for E over K,, we denote the reduced curve over the residue field by E,,/k,,. 
[N.B. It may not be possible to choose a single Weierstrass equation for E 
over K which is simultaneously minimal for all K,. However, this can be 
done if K = Q. For further details, see section 8.] 


Remark 1.3. Take any Weierstrass equation for E/K, 
E:y? + a,xy + ayy = x? + a,x? + agx + dg, 

say with discriminant A. Then for all but finitely many ve M2, we have 
v(a;)) > 0 fori=1,...,6 and v(A) = 0. 


Now for such v, the given equation is already a minimal Weierstrass equa- 
tion, and the reduced curve F,,/k, is non-singular. This shows that E has good 
reduction at v for all but finitely many ve My. 


Proposition 1.4 (restatement of VII.3.1b). Let veMg, and suppose that 
v(m) = 0 and E has good reduction at v. Then the reduction map 
E(K)[m] > E,(k,) 
is injective. 
We are now ready to analyze the extension L/K. 


Proposition 1.5. Let 
L= K([m] *E(K)) 
be the field defined in (1.2d). 
(a) L/K is an abelian extension of exponent m. (I.e. Gy)x is abelian and every 


element has order dividing m.) 
(b) Let 


S = {ve Mg: E has bad reduction at v} UV {ve Mg: v(m) #0} U Mg. 


Then L/K is unramified outside S. (I.e. If vé My and v€S, then L/K is unrami- 
fied at v.) 


Proor. (a) This follows immediately from (1.1), which implies that there is an 
injection 
Gx > Hom(E(K), E[m]) 
g—>k(-, 9). 


(b) Let ve M, with v¢S, let 0 E(K) satisfy [m]Q € E(K), and let K’ = K(Q). 
It suffices to show that K’/K is unramified at v, since L is the compositum of 
all such K’. Let v'e Mx. be a place of K’ lying above v, and let ki,,/k, be the 
corresponding extension of residue fields. Since E has good reduction at v 
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(remember v¢ 5S), it certainly has good reduction at v’ (take the same Weier- 
strass equation). Thus we have the usual reduction map 


E(K') > E,(k,,), 


which we denote as usual by a tilde. 
Now let I,.,, © Gg-x be the inertia group for v’/v, and let oel,,,,. By 
definition of inertia, o acts trivially on E,,(k,,), so 


F-G-0-0=6. 
On the other hand, 


[m](Q’ — Q) = ([m]Q)’ — [m]Q = O, 


since [m]Q ¢ E(K). Thus Q’ — Q is a point of order m which is in the kernel of 
the “reduction modulo v” map. It follows from (1.4) that 


0° -Q=0. 
This proves that Q is fixed by every element of the inertia group I,,,,, hence 


K' = K(Q) is unramified over K at v’. Since this holds for every v’ over v, and 
for every v¢S, we have proven that K’/K is unramified outside S. O 


To complete the proof of the weak Mordell—Weil theorem, all that remains 
is to show that any field extension L/K satisfying the conditions of (1.5) is 
necessarily a finite extension. The proof of this fact relies on the two funda- 
mental finiteness theorems of algebraic number theory, namely the finiteness 
of the ideal class group and the finite generation of the group of S-units. 


Proposition 1.6. Let K be a number field, S < Mx a finite set of places contain- 
ing My, and m > 2 an integer. Let L/K be the maximal abelian extension of K 
having exponent m which is unramified outside of S. Then L/K is a finite 
extension. 


Proor. Suppose the proposition were true for some finite extension K’ of K, 
where S’ is the set of places of K’ lying over S. Then LK’/K’, being abelian of 
exponent m unramified outside S’, would be finite; and so L/K would also be 
finite. It thus suffices to prove the proposition under the assumption that K 
contains the m'*-roots of unity p,,. 

Similarly, we may increase the set S, since this only has the effect of making 
L larger. Using the fact that the class number of K is finite, we can thus add a 
finite number of elements to S so that the ring of S-integers 


Rs = {ae K: v(a) > O for all ve Mx, v¢S} 


is a principal ideal domain. We may also enlarge S so that v(m) = 0 for all 
v€S. 

Now the main theorem of Kummer theory says that if a field (of character- 
istic 0) contains p,,, then its maximal abelian extension of exponent m is 
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obtained by adjoining m'*-roots. (See any basic text on field theory, for 
example [Bi §2] or [Ar, theorem 25]; or do exer. 8.4.) Thus L is the largest 
subfield of 


K (2/a :aéK) 
which is unramified outside S. 
Let ve Mx, v¢S. Looking at the equation 
xXx™—a=0 
over the local field K,, and remembering that v(m) = 0, it is clear that 
K,(2/a)/K, is unramified if and only if 
ord,(a) = 0 (mod m). 


(Recall ord, is the normalized valuation associated to v.) Now when adjoin- 
ing m'-roots, it is only necessary to take one representative for each class in 
K*/(K*)". We conclude that 


L= K(2/a: ae Ty), 
where 
Ts = {ae K*/(K*)": ord,(a) = 0 (m) for all ve Mx, v¢ S}. 
To finish the proof, it thus suffices to show that the set T; is finite. 
Consider the natural map 
Ri = Ty. 

We claim that it is surjective. To see this, suppose ae K* represents an 
element of T;. Then the ideal aRg is the m'"-power of an ideal in Rg, since the 
prime ideals of Rs correspond to the valuations v¢S. Since Rg is a principal 


ideal domain, there is a be K* so that aRs = b"Rg, Hence there is a ue R¥ so 
that 


a= ub". 
Then a and u give the same element of T;, so R¥ surjects onto T;. Now the 
kernel of this map certainly contains (R¥)", so we have a surjection 
Rg/(Rg)" > Ts. 


(It is actually an isomorphism.) But Dirichlet’s S-unit theorem [La 2, V §1] 
says that Ré is finitely generated, so this proves that T, is finite, and thereby 
completes the proof of the proposition. O 


The three propositions proven above may now be combined to give our 
main result. 


PROOF OF THE WEAK MorDELL—WEIL THEOREM (1.1). Let L = K([m]7'E(K)) 
be the field defined in (1.2d). Since E[m] is finite, the perfect pairing given in 
(2.1) shows that E(K)/mE(K) is finite if and only if G,,x is finite. Now (1.5) 
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shows that L has certain properties, and (1.6) shows that any extension of K 
with those properties is a finite extension, which gives the desired result. 
(Note that the set S of (1.5b) is a finite set; cf. (1.3).) Oo 


Remark 1.7. The heart of the proof of the weak Mordell—Weil theorem lies in 
the assertion that the field L = K([m]1E(K)) is a finite extension of K. We 
proved this by first showing (1.5) that it is abelian, of exponent m, and 
unramified outside a certain finite set S < Mx. The desired result then fol- 
lowed from the basic Kummer theory of fields given in the proof of (1.6). It is 
worth pointing out that instead of (1.6), we could have used the more general 
theorem of Minkowski which asserts that there are only finitely many exten- 
sions of K of bounded degree which are unramified outside of S. To apply 
this in the present instance, note that for any Q¢[m]~'E(K), the field K(Q) 
has degree at most m? over K. (The Ggjx conjugates of Q all have the form 
Q+ T for some Te E[m].) It follows from Minkowski’s theorem that as Q 
ranges over [m]~*E(K), there are only finitely many possibilities for the fields 
K(Q). Hence their compositum K([m]~1E(K)) is a finite extension of K. 


Remark on Effectivity 


Let E/K be an elliptic curve with E[m] < E(K), let S < Mg be the usual set of 
bad places for E/K (as in (1.5b)), and let L/K be the maximal abelian exten- 
sion of K having exponent m which is unramified outside S. Then from (1.2) 
and (1.5), the Kummer pairing induces an injection 


E(K)/mE(K) > Hom(G,,x, E[m)). 


Now it is possible to make the proof of (1.6) completely explicit, and so 
exactly determine the finite group G,/x (see exer. 8.1). Thus one can describe 
all of the elements of the group Hom(G,/x, E[m]), and the crucial question 
becomes that of determining which of these elements come from points of 
E(K)/mE(K). It is this last question for which there is at present no known 
effective procedure for answering. We will examine this problem in more 
detail in chapter X. There we will exhibit a smaller group into which 
E(K)/mE(K) injects, and see what can be said about the cokernel. Let us also 
note that this is the only point at which the Mordell—Weil theorem is ineffec- 
tive; if one can produce generators for E(K)/mE(K), then one can find gen- 
erators for E(K). (See (3.2) and exer. 8.18.) 


§2. The Kummer Pairing via Cohomology 


In this section we reinterpret the Kummer pairing of §1 in terms of group 
cohomology. The methods used here will not be used again until chapter X, 
and may be omitted by the reader wishing to proceed directly to the proof of 


§2. The Kummer Pairing via Cohomology 197 


the Mordell—Weil theorem. For the basic facts on group cohomology which 
we will use, see appendix B and/or the references listed there. 
We start with the short exact sequence of Gg,x-modules, 


0 E[m] > £(K) E(R) +0, 


where m > 2 is a fixed integer. Taking Gg), cohomology yields a long exact 
sequence which starts 
0> E(K)Im] > EK) @] = &K) 


5, H} (Gg, Elm]) > H'(Gzjx, E(K)) > H'(Gzjx, E(K)). 


Now from the middle of this long exact sequence we can extract the following 
short exact sequence, which we call the Kummer sequence for E/K: 
E(K) 56 = 
> E(R) 7 (Gains EL) > HG zyx, E(R)) mi] > 0, 

(As usual, for any abelian group A, A[m] denotes the m-torsion subgroup of 
A.) 

From general principles, the connecting homomorphism 6 is computed as 
follows. Let P ¢ E(K) and choose some Q € E(K) satisfying [m]Q = P. Then a 
1-cocycle representing 6(P) is given by 


c: Ggjx > E[m] 


Ce = Q°—Q. 
But this is exactly the Kummer pairing defined in §1, 
Ca = K(P, 0). 


(This assumes we use the same Q for both sides, of course.) 
Now suppose that E[m] is contained in E(K). Then 


H*(Ggjx, E[m]) = Hom(Ggx, E[m)]), 
so in this case we have an injective homomorphism given by 
E(K)/mE(K) < Hom(Gg)x, E[m]) 
P-«(P, °). 


This provides an alternative proof of (1.2abc). 

Similarly, we can use the inflation-restriction sequence (B.2.4) to obtain a 
quick proof of reduction lemma (1.1.1). Thus if L/K is a finite Galois exten- 
sion (say with E[m] < E(L)), then we have a commutative diagram 


ee ® + E(K)/mE(K) >  E(L)/mE(L) 
4 ; Ay, a 
0 + H'(Gi)¢. E[m]) > H4(Ggx, Elm]) > H*(Gz,, Elm). 


Since G,,x and E[m] are finite groups, the cohomology group H ‘(Gi jx, E[m]) 


198 VIII. Elliptic Curves over Global Fields 


is finite, so ® is finite also. (The map Ap : G,,x — E[m] defined in the proof of 
(1.1.1) is a cocycle whose cohomology class is precisely the image of Pe ® in 
H* (G, jx, E[m]).) 

Returning now to the general case, we reinterpret (1.5b) in terms of 
cohomology. 


Definition. Let M be a Ggjx-module, ve My a discrete valuation, and 
I, < Gg x the inertia group for v. A cohomology class ¢ ¢ H"(Gx)x, M) is said 
to be unramified at v if it is trivial in H’(I,, M). 


Proposition 2.1. Let 
S = {ve Mp: E has bad reduction at v} U {ve Mg: v(m) # 0} U Me. 
Then the image of E(K) in H*(Gg,x, E[m]) under the connecting homomor- 


phism 6 consists of cohomology classes which are unramified at every vé Mx, 
v¢S. 


Proor. Let Pe E(K), and as above let 

Cg = Q° 2 Q 
be a cocycle representing 6(P), where [m]Q = P. Then from (1.5b), the field 
K(Q) is unramified over v. (Note that the proof of (1.5b) did not use the 


assumption that E[m] is contained in E(K).) Hence I, acts trivially on Q, so 
for all ceEl,, c, = 0. oO 


The Kummer Sequence for Fields 


The exact sequences derived above are analogous to the usual ones related to 
Kummer theory for a field. To make the analogy clear, we briefly recall the 
relevant facts. Corresponding to the multiplication-by-m sequence for E used 
above is the exact sequence of Gg)x-modules 


lon, >K*3K*>1, 
where the map denoted m is raising to the m'"-power. Taking Gg, coho- 
mology yields a long exact sequence, from which we extract 
1+ K*(K*)" 5H" (Giyx, tn) > (Gan, R*). 
Now Hilbert’s famous “theorem 90” (B.2.5) asserts that 
H(Gzx, K*) = 0, 


so the connecting homomorphism 6 is an isomorphism. This is in marked 
contrast to the situation for elliptic curves, where the non-triviality of 
H+ (Gx)x, E(K)) provides much added complication. (See chapter X.) Collect- 
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ing the above facts, and using an explicit computation of the connecting 
homomorphism, we have the following. 


Proposition 2.2. There is an isomorphism 
6: K*/(K*)" 5 H*(Ggjx, Wm) 
given by 
6(a) = cohomology class of {o > «°/a}, 


where ae K* satisfies a” = a. 


§3. The Descent Procedure 


Our main goal in this chapter is to prove that E(K), the group of rational 
points on an elliptic curve, is finitely generated. So far, we know (1.1) that the 
quotient group E(K)/mE(K) is finite. It is easy to see that this is not enough. 
For example, R/mR = 0 for every integer m > 1, but R is certainly not finitely 
generated. Similarly, if E/Q, is an elliptic curve, then (VII.6.3) says that E(Q,) 
has a subgroup of finite index isomorphic to the additive group Z,. Hence 
E(Q,)/mE(Q,) is finite and E(Q,) is not finitely generated. 

An examination of these two examples shows that the problem occurs 
because of the large number of elements in the group which are divisible by 
m. The idea used to finish the proof of the Mordell—Weil theorem is to show 
that on an elliptic curve over a number field, the multiplication by m map 
tends to increase the “size” of a point; and that there are only finitely many 
points with small “size”. This will bound how high a power of m can divide a 
point, and so eliminate problems such as in the above examples. Of course, 
all of this is very vague until we explain what is meant by the “size” of a point. 

In this section we will axiomatize the situation and describe the type of size 
(or height) function needed to prove that an abelian group is finitely gen- 
erated. Then in the next section we will define such a function on an elliptic 
curve in the simplest case, and use explicit formulas to prove that it has the 
desired properties. This will suffice to prove a special case of the Mordell— 
Weil theorem (4.1). After that, we will turn back to the general case and 
develop the theory of height functions in sufficient generality to both prove 
the Mordell—Weil theorem (6.7) and be useful for future applications. 


Proposition 3.1 (Descent theorem). Let A be an abelian group. Suppose there is 
a “height” function 


h:A>R 


with the following three properties: 
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(i) Let Qe A. There is a constant C,, depending on A and Q, so that for all 
PeA, 


h(P + Q) < 2h(P) + Cy. 


(ii) There is an integer m > 2 and a constant C,, depending on A, so that for 
all Pe A, 


h(mP) > m?h(P) — Cy. 
(iii) For every constant C3, 
{Pe A:h(P) < C3} 
is a finite set. 


Suppose further that for the integer m in (ii), the quotient group A/mA is finite. 
Then A is finitely generated. 


Proor. Choose elements Q,,..., Q,¢ A to represent the finitely many cosets 
in A/mA. Now let Pe A. The idea is to show that by subtracting an appropri- 
ate linear combination of Q,, ..., Q, from P, we will be able to make the 
height of the resulting point less than a constant which is independent of P. 
Then Q,, ..., Q, and the finitely many points with height less than this 
constant will generate A. 

Write 


P=mP, + Q,, for some 1 <i, <r. 
Continuing in this fashion, 


P, => mP, + 0:,, 
Fea > mP, F Qi... 
Now for any j, we have 


h(P) < —[himP) +(C,] from (ii) 
1 
= ye LatPi-1 _ Q;,) + C,] 


1 ; 
< nt entP-1) +C,+C,] from (i), 


where we take C; to be the maximum of the constants from (i) for Q = —Q,, 
1 <i<r. Note that C; and C, do not depend on P. 

Now use the above inequality repeatedly, starting from P, and working 
back to P. This yields 
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h(P, y< (= 7) ne) +| i+ pt ate + Sac +c) 


<(=) me) + ot 


<2-"h(P) + (Cy + C,)/2 since m > 2. 


It follows that by taking n sufficiently large, we will have (say) 
h(P,) < 1 + (Cy + C,)/2. 


Since (from above) 
P=m'P, + ¥ mQ,, 
ix 


it follows that every Pe A is a linear combination of the points in the set 


{Q1,.--,0,} VU{QEA :h(Q) < 1 + (Cy + C,)/2}. 


From (iii), this is a finite set, which proves that A is finitely generated. O 


Remark 3.2. What is needed to make the descent theorem effective; that is, to 
allow us to find generators for the group A? First, we must be able to calculate 
the constants C, = C,(Q,) for each of the elements Q,,...,Q,¢ A representing 
the cosets of A/mA. Second, we must be able to calculate the constant C). 
Third, for any constant C,, we must be able to determine the elements in the 
finite set {Pe A: h(P) < C;}. The reader may check (exer. 8.18) that for the 
height functions which we will define on elliptic curves (§4, 5, 6), all of these 
constants are effectively computable provided we can find elements of E(K) 
which generate the finite group E(K)/mE(K). Unfortunately, at present 
there is no known procedure which is guaranteed to give generators for 
E(K)/mE(K). We will return to this question in chapter X. 


§4. The Mordell—Weil Theorem over Q 


In this section we will prove the following special case of the Mordell- Weil 
theorem. 


Theorem 4.1. Let E/Q be an elliptic curve. Then the group E(Q) is finitely 
generated. 


We will, of course, soon be ready to prove the general case (6.7). But it 
seems worthwhile to give the proof of (4.1) first, since in this case the neces- 
sary height computations using explicit formulas are not too cumbersome. 
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Fix a Weierstrass equation for E/Q of the form 
E:y?=x3+Ax+B 
with A, BeZ. From (1.1) we know that E(Q)/2E(Q) is finite, so to use the 
descent theorem (3.1), we need to define a height function on E(Q). 
Definition. Let t¢@ and write t = p/q as a fraction in lowest terms. The 


height of t, denoted H(t), is defined by 
H(t) = max{\pl, |gl}. 


Definition. The height on E(Q) (relative to the given Weierstrass equation) is 
the function 


h,: E(Q)> R 
_ flog H(x(P)) if P #0 
ha(P) = ‘0 if P = 0. 


Notice h,(P) is always non-negative. 


The following lemma gives us the necessary information about this height 
function 


Lemma 4.2. (a) Let Py ¢ E(Q). There is a constant C,, depending on Po, A, B, so 
that for all Pe E(Q), 
h,(P + Po) < 2h,(P) + Cy. 

(b) There is a constant C,, depending on A, B, so that for all Pe E(Q), 

h,([2] P) > 4h,(P) — Cp. 
(c) For every constant C3, the set 

{Pe E(Q):h,(P) < C3} 

is finite. 
ProoF. (a) Taking C, > max {h,(Po), h,([2]Po)}, we may assume Py # O and 
P #0, +P. Then writing 


a b ay b 
P=(x,y)= (4 3) Po = (Xa Yo) = (33.33) 
(where the indicated fractions are in lowest terms), the addition formula 
(III.2.3d) reads 


_ 2 
xP +P) =(2 2) —xX— Xp. 
— Xo 


Now multiplying this out and using that P and P) satisfy the Weierstrass 
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equation yields 
(xX + A)(x + Xo) + 2B — 2yyo 
(x — Xo)? 
_ (aay + Ad?d§)(ad§ + aod”) + 2Bd*d§ — 2bdbody 
i (adj — aya?) 
In computing the height of a rational number, cancellation between 


numerator and denominator can only decrease the height, so we find by an 
easy estimation that 


H(x(P + Po)) < C; max{|a|?, |d|*, |bd]}, 


where C; has a simple expression in terms of A, B, do, bo, do. Since 
H(x(P)) = max{|a|, |d|?}, this is exactly what we want except for the pres- 
ence of the |bd|. But since P is on the curve, 


b? = a? + Aad* + Bd®, 


x(P + Po) = 


sO 
|b| < Cy max {|a|>”, |d|5}. 
Using this above yields 
H(x(P + Po)) < C, max{|al?, |d|*} = C, H(x(P))’, 


and now taking logarithms gives the desired result. 
(b) By choosing C, > 4h,(T) for each of the points Te E(Q)[2], we may 
assume that [2]P 4 O. Then writing P = (x, y), the duplication formula 
(III.2.3d) reads 
x* — 2Ax? — 8Bx + A? 

4x? + 4Ax + 4B 


x([2]P) = 


It is convenient to define homogeneous polynomials 
F(X, Z) = X* — 2AX?Z? — 8BXZ? 4+ A*Z4, 
G(X, Z) = 4X3Z + 4AXZ?> + 4BZ*. 


Then if we write x = x(P) = a/b as a fraction in lowest terms, x([2]P) can be 
written as a quotient of integers 


x([2]P) = F(a, b)/G(a, b). 


However, in contrast to (a), we are looking for a lower bound for H(x({2]P)), 
so it will be important to bound how much cancellation can occur between 
numerator and denominator. 

The idea is to use the fact that F(X, 1) and G(X, 1) are relatively prime 
polynomials, so they generate the unit ideal in Q[X]. This implies that 
identities of the following sort exist. 


204 VIII. Elliptic Curves over Global Fields 


Sublemma 4.3. Let A = 4A? + 27B?, 
F(X, Z) = X* — 2AK?Z? — 8BXZ? + A’Z*, 
G(X, Z) = 4X°Z + 4AXZ? + 4BZ4, 
f,(X, Z) = 12X?Z + 16AZ?, 
g,(X, Z) = 3X3 — SAXZ? — 27BZ?3, 
fo(X, Z) = 4(4A3 + 27B?)X? — 44? BX?Z 
+ 4A(3A3 + 22B?)XZ? + 12B(A? + 8B7)Z3, 
92(X, Z) = A?BX? + A(5A? + 32B2)X?Z 
+ 2B(13A> + 96B?)XZ? — 3A?(A? + 8B?)Z?. 
Then the following identities hold in QLX, Z];: 
fi (X, Z)F(X, Z) — 9,(X, Z)G(X, Z) = 4AZ’ 
fo(X, Z)F(X, Z) + 92(X, Z)G(X, Z) = 4AX7. 
ProoF. Since F(X, Z) and G(X, Z) are relatively prime homogeneous poly- 
nomials (provided A ¥ 0), it is clear a priori that identities of this sort will 
exist. To check the validity of the two given identities is at worst a tedious 


calculation, which we leave for the reader. (To actually find the polynomials 
Fis 915 S25 92, one can use the Euclidean algorithm or the theory of resultants.) 


O 
We return to the proof of (4.2b). Let 
6 = gcd(F(a, b), G(a, b)) 
be the cancellation in our fraction for x([2]P). From the equations 
f(a, b)F (a, b) — g,(a, b)G(a, b) = 4Ab’ 
f(a, b) F(a, b) + g2(a, b)G(a, b) = 4Aa’, 
we see that 6 divides 4A. Hence we obtain the bound 
|5| < [4A], 
and so 
H(x([2]P)) > max{F(a, b), G(a, b)}/|4A\. 
On the other hand, the same identities give the estimates 
|4Ab’| < 2 max{ f,(a, b), g, (a, b)} max {F(a, b), G(a, b)}, 
|4Aa’| < 2 max{ f(a, b), go(a, b)} max {F(a, b), G(a, b)}. 
Now looking at the expressions for f,, f5, g,, and g, in (4.3), we have 
max { f,(a, ), 9:(a, b), f2(a, b), go(a, b)} < C max {|al?, |b|°}, 
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where C is a constant depending on A and B. Combining the last three 
inequalities yields 
max {|4Aa’|, |4Ab7|} < 2C max {|a|3, |b|>} max{F(a, b), G(a, b)}, 
and so cancelling max {|a|%, |b|*} gives 
max { F(a, b), G(a, b)}/|4A| > (2C)* max {|al, |b]}. 
Since max {|a|, |b|} = H(x(P)), this gives the desired estimate 
H(x([2]P)) > (2C)*H(x(P)). 
(c) For any constant C, the set 
{teQ: H(t) <C} 


is clearly finite. (It certainly has fewer than (2C + 1) elements.) But given any 
value for x, there are at most two values of y for which (x, y) is a point of E. 
Therefore 


{Pe E(Q):h,(P) < C3} 


is also a finite set. Oo 


Proving (4.1) is now just a matter of fitting together what we have already 
proven. 


ProorF oF (4.1). From (1.1), E(Q)/2E(Q) is finite. Now (4.2) says that the height 
function 


h,: E(Q)>R 


satisfies the conditions necessary to apply the descent theorem (3.1) (with 
m = 2). The conclusion from (3.1) is that E(Q) is finitely generated. oO 


§5. Heights on Projective Space 


In order to use the descent theorem (3.1) to prove the Mordell—- Weil theorem 
in general, it is necessary to define a height function on the K-rational points 
of an elliptic curve. It is possible to proceed in an ad hoc manner using 
explicit equations, as in the last section; but rather than do this, we will 
instead develop the general theory of height functions, from which will follow 
all of the necessary properties plus considerably more. Since our elliptic 
curves are given as subsets of projective space, in this section we will study a 
certain height function defined on all of projective space; and then in the next 
section we will examine its properties when restricted to the points of an 
elliptic curve. 


Example 5.1. Suppose P ¢ P%(Q). Since Z is a principal ideal domain, we can 
find homogeneous coordinates for P, say 
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P=[%p,.--> Xn], 
which satisfy 
Xos+++XyEZ and ged(xo,..., Xy) = 1. 
Then a natural measure of the height of P would be 
H(P) = max{|Xol, ..., |xwl}. 
Notice that with this definition, it is clear that for any constant C, the set 
{PeP(Q): H(P) < C} 


is a finite set. (It has fewer than (2C + 1)%*! elements.) This is the sort of 
finiteness property needed to apply the descent theorem (3.1). 

Now in trying to directly generalize (5.1) to arbitrary number fields, one 
runs into difficulty when the ring of integers is not a principal ideal domain. 
We thus take a somewhat different approach, for which purpose we now 
specify more precisely how the absolute values in Mx are to be normalized. 


Definition. The set of standard absolute values on Q, which we again denote 
by Mg, consists of the following: 


(i) Mg contains one archimedean absolute value, given by 
|x|. = usual absolute value = max{x, —x}. 
(ii) For each prime peZ, Mg contains one non-archimedean (p-adic) ab- 


solute value, given by 


Pr os p” for a, beZ, gced(p, ab) = 1. 


The set of standard absolute values on K, denoted Mx, consists of all absolute 
values on K whose restriction to Q is one of the absolute values in Mg. 
Definition. For ve My, the local degree at v, denoted n,, is given by 

n, = [K,: Q,]. 
(Here K, and Q, denote, as usual, the completion of the indicated field with 


respect to the absolute value v.) 


With these definitions, we can state the two basic facts from algebraic 
number theory which will be needed. 


Extension Formula 5.2. Let L/K/Q be a tower of number fields, and ve Mx. 
Then 


yn, =(L: K]n,. 


weMr 


(Here w|v means that w equals v when restricted to K.) 
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Product Formula 5.3. Let xe K*. Then 


[] lxite = 1. 


veMx 


For proofs of these two formulas, see [La 2, II §1 and V §1]. 
We are now ready to define the height of a point in projective space. 


Definition. Let P ¢ P’(K) be a point with homogeneous coordinates 
P =[Xo,..-, Xn], x,EK. 
The height of P (relative to K) is defined by 
Ay(P) = [] max{|xol,,.--, xvlp}"”: 


ve MK 
Proposition 5.4. Let Pe P‘(K). 


(a) The height H,(P) does not depend on the choice of homogeneous coordi- 
nates for P. 


(b) Ay(P) 2 1. 
(c) Let L/K be a finite extension. Then 
A, (P) = Ay(P)P*. 


Proor. (a) Any other choice of homogeneous coordinates for P has the form 
[Axg,...5 AXy] for some 4€K*. Then using the product formula (5.3), we 
have 
[] max {{Ax;|,}"” = [] |alemax {|x;|,}"" = [] max {|x;|,}". 

veMx i ve MK i veMx i 
(b) For any point in projective space, one can find homogeneous coordinates 
so that one of the coordinates is 1. Then every factor in the product defining 
H,(P) is at least 1. 
(c) We compute 


H,(P) = I] max {|x;|,,}"” 


I] [] max{|x;,}" since x, K 


veMx weML 
wiv 


T] max{|x;|,}%'*" from (5.2) 


veMxK 


= H,(P)%'*1. oO 


Remark 5.5. If K = Q, then Hg agrees with the more intuitive height function 
given in (5.1). Thus let Pe P%(Q), and choose homogeneous coordinates 
[Xo,.--, Xy] for P so that x,¢Z and gcd(xo, ..., Xy) = 1. Then for every non- 
archimedean absolute value ve Mg, we have |x;|, < 1 for all i and |x;,|, = 1 
for at least one i. Hence in the product for Hg(P), only the term for the 
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archimedean absolute value contributes, so 
Ha(P) = max{|Xolo. +--+» [Xwlo}: 
In particular, it follows that 
{Pe P"(Q): Ha(P) < C} 
is a finite set for any constant C. One of our goals is to extend this result to 


Hx, and we will actually prove something even stronger (5.11). 


It is sometimes easier to use a height function which is not relative to a 
given field. In view of (5.4c), the following definition makes sense. 


Definition. Let P ¢ P"(Q). The (absolute) height of P, denoted H(P), is defined 
as follows. Choose any field K such that Pe P*(K). Then 


H(P) = H,(P)'"*'@ (positive root). 


We now investigate how the height changes under mappings between 
projective spaces. We recall the following definition (cf. 1.3.3). 


Definition. A morphism of degree d between projective spaces is a map 
F:P¥ — p™ 
F(P) = [fo(P), ....fu(P)1, 


where fo, ...,f1€Q[Xo, -.., Xy] are homogeneous polynomials of degree d 


with no common zero in Q other than X, = --- = Xy = 0. If F can be written 
with polynomials f; having coefficients in K, then F is said to be defined over 


Theorem 5.6. Let 
F: Pp’ p™ 


be a morphism of degree d. Then there are constants C, and C,, depending on 
F, so that for all points Pe P*(Q), 


C, H(P)* < H(F(P)) < C,H(P)’. 
Proor. Write F =[fo,..-,fy] with homogeneous polynomials f;, and let 


P =[Xo,..., Xy]€P*(Q). Choose some number field K contining x9, ..., Xy 
and all of the coefficients of all of the fs. Then for each ve Mg, let 


|P|,= max {|x;|,}, |F(P)|, = max {| f(P)|,}, 
O<i<N 0<j<M 
and 


|F|, = max{|a|,,: a is a coefficient of some f;}. 
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Then from the definition of height, 
Ay(P)= [|] [Pl and Hy(F(P))= [] |F(P)I, 
veMxK veMxK 
so it makes sense to define 
Hx(F)= [| |Fi. 


ve MK 


(Le. Hx(F) = Hx([do, 4;,...]), where the a;’s are the coefficients of the f7s.) 
Finally, we let C,, C,,... denote constants which depend only on M, N and d, 
and set 


1 ifveMe 
ea is ifve M2. 


(To illustrate the utility of e(v), we note that the triangle inequality can be 
concisely written as 


|t, freed tale < n) max {|t,|,5 asaens Ital} 


for all ve Mx, both archimedean and non-archimedean.) 
Having set notation, we turn to the proof of (5.6). The upper bound is 
relatively easy. Let ve Mx. The triangle inequality yields 


If(P)le < CHF lol Phe, 


since f; is homogeneous of degree d. Here C, could equal the number of terms 
in f,, which is at most (%y*) (i.e. this is the number of monomials of degree d in 
N + 1 variables). Since this holds for each i, we find 


IF(P)|, < CHO |F ||P. 
Now raise to the n,-power, multiply over all ve Mx, and take the [K : Q]'*- 
root. This yields the desired upper bound 
H(F(P)) < C, H(F)H(P)*. 
(Note that 
Y evn, = Yn, =[K:Q] from (5.2).) 


veMK veMr 
It is worth mentioning that in proving this upper bound, we did not use the 
fact that the f?s have no common non-trivial zero. But for the lower bound 
we will certainly need this fact, since otherwise there are easy counter- 
examples (see exer. 8.10). 
Thus we now assume that the set 


{Qe A%**(Q) : fo(Q) = + = fu(Q) = 0} 


consists of the single point (0,...,0). It follows from the Nullstellensatz 
({Har, I.1.3A]) that the ideal generated by fo, ..., fy, in Q[Xo, ..., Xx] con- 
tains some power of each of Xo,..., Xy, since each X; also vanishes at 
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(0,...,0). Thus for an appropriate integer e > 1, there are polynomials 
g7€ Q[Xo, sees Xy] such that 


M 
Xf = ¥ gy foreachO <i<N. 
j=0 


Replacing K by a finite extension, we may assume that each 
gj€K[Xo,..., Xy]. Further, by discarding all terms except those which are 
homogeneous of degree e, we may assume that each g,, is homogeneous of 
degree e — d. Let us set the further reasonable notation 


|G|, = max{|b|, : b is a coefficient of some g,;} 


H,(G) = T] |G. 
ve MK 

(We note that e and H,(G) may be bounded in terms of M, N, d, and H,(F), 
although to give a good bound is not at all an easy task. See (5.7) for a 
discussion. For our purposes it is enough to note that e and H,(G) do not 
depend on the point P.) 

Recalling that P = [xo,..., Xv], the equations described above imply that 
for each i, 


M 
Ixilo = | 2, Gul P)G(P) 


v 


< Cx max {|gi(P)f(P)lo}- 
O<j<M 
Now taking the maximum over i gives 
IPI; < C2 max {l9(P)l}1F(P)l.- 
O<j<M 
O<i<N 


But since each g; has degree e — d, the usual application of the triangle 
inequality yields 


lgi(P)lo < CS1G| IP Ie *. 


(Here C, may also depend on e; but as mentioned above, e may be bounded 
in terms of M, N, and d.) Substituting this in above and multiplying through 
by |P|?~¢ gives 


IPIp < CL 1G, |F(P)I.5 
and now the usual raising to the n,-power, multiplying over ve Mx, and 
taking the [K : Q]'*-root yields the desired lower bound. oO 
Remark 5.7. As indicated during the proof of (5.6), in the inequality 
C,H(P)’ < H(F(P)), 


the dependence of C, on F is not at all straightforward. Precisely, C, can be 
given in terms of the coefficients of certain polynomials whose existence is 
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guaranteed by the Nullstellensatz. Now the Nullstellensatz can be made 
completely mechanical by the use of elimination theory, but using this 
method directly leads to a very poor estimate. For an explicit version of the 
Nullstellensatz where an effort has been made to give good estimates for the 
coefficients, see [M—W]. 


We also record the special case of (5.6) corresponding to an automorphism 
of P%. 


Corollary 5.8. Let AéGLy,,(Q), so matrix multiplication by A induces an 
automorphism A: P% > P¥. Then there are constants C, and C,, depending on 
the entries of the matrix A, so that for all Pe P*(Q), 


C, H(P) < H(AP) < C,H (P). 
ProoF. This is (5.6) for a morphism of degree 1. oO 


We next investigate the relationship between the height of the coefficients 
of a polynomial and the height of its roots. 


Notation. For xe Q, let 
(x) = H(Lx, 1]). 
Similarly, if xe K, then 
Ax(x) = Ax(Lx, 1). 


Theorem 5.9. Let 
S(T) = a)T4 + are + 37 + aq = a(T — a) (TT a4) € O[T] 
be a polynomial of degree d (i.e. dg # 0). Then 


at il H(a,) < H([ao, ..-, 4a]) < 24* ll H(«)). 
j=l j=l 


Proor. First note that the inequality to be proven remains unchanged if f(T) 
is replaced by (1/ao) f(T). It thus suffices to prove the result under the as- 
sumption that a) = 1. 

Let K = Q(a,,..., @,), and for ve Mx, set 


2 ifveme 
5 sree: 


(Note this notation differs from that used in the proof of (5.6). In the present 
instance, the triangle inequality reads 


|x + ylp < e(v)max{|x|,, |yl} for ve Mx, x, ye K. 


212 VIII. Elliptic Curves over Global Fields 


Of course, if ve Mf and |x|, # |y|,, then it is an equality.) We will now prove 
that 


d d 
e(v) 4] max{|a;|,, 1} < max {|a;|,} < e(v)** [] max {|a;|,, 1}. 
jai O<i<d j=l 


Once this is done, raising to the n,-power, multiplying over ve Mx, and 
taking [K : Q]"-roots gives the desired result. 

The proof is by induction on d = deg(f). For d = 1, f(T) = T — a, so the 
inequality is clear. Assume now that we know the result for all polynomials 
(with roots in K) of degree d — 1. Choose an index k so that 


lol, = Ia, for allO <j <d, 
and define a polynomial 
G(T) = (T= a4)°* (T= oy -1)(T— Oy 41) (T — 4) 
= by Tt +b, TH? +-+ + dy. 
Thus f(T) = (T — «,)g(T), so comparing coefficients yields 
a; = b; — %,b;-4. 


(This holds in the entire range 0 <i < d if we set b_, = b, = 0.) 
We now prove the upper bound ae above. 


max , tlile }= anes Be Pe o,b;-1|,} 
0<i< 


aa, max {|Djl,, |%b;-1|,} triangle inequality 


O0<i< 


< e(v) max {[b;|,} max {|o%l,, 1} 
0<i<d 
d 
< e(v)** [] max{|q;|,, 1} induction hypothesis 
fl applied to g. 


Next, to prove the lower bound, we consider two cases. First, if |,|, < e(v), 
then by the choice of the index k, 


d 
Il max {|q;|,, 1} < max {|%l,, 1}4 < e(v)*, 
Jj=1 


so the result is clear. (Remember a) = 1.) Next, suppose that |a,|, > e(v). 
Then 


max {|q;|,} = eu Adi — a,b;-1|,} 
O<i<d 


2 ae Ay {|b;|,} max {|a,l,, 1}. 
S1sa— 


Here the last line is an equality for ve Mg, while for ve Mg we are using the 
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calculation 


max {|b; — «,b;-1|,} > (I%l, — 1) max Piles 


O<i<d 


O<ix<d 


> e(v)*|o,|, max Mei |} 


O<i<d 
since |a,|, > é(v) = 


Now applying the induction hypothesis to g gives the desired lower bound, 
which completes the proof of (5.9). O 


Our first application of (5.9) will be to show that there are only finitely 
many points of bounded height in projective space. To do this, we will need 
to know that the action of Galois does not affect the height of a point. 
Lemma 5.10. Let Pe P%(Q) and o€ Gag. Then 

H(P’) = H(P). 


Proor. Let K/Q be a field with Pe P(K). o gives an isomorphism a: K 5 K’, 
and it likewise identifies the sets of absolute values, 


Co: Mx = Mx 
vv’. 
(Ie. For xe K and ve Mg, |x"|,« = |x|,.) Clearly o also gives an isomorphism 


K, 3 K%, so n, = n,-. We now compute 


Hye(P’) = I] max {|x?|,,}"” 


weM K° 


TI max {lfloes"" 


veM K 


[]_ max{|xil.}"* 


veMx 
= H,(P). 
Since [K : Q] = [K?: Q], this is the desired result. O 


Theorem 5.11. Let C and d be constants. Then the set 
{PeP(Q):H(P)<C and [Q(P):Q]<d} 
contains only finitely many points. In particular, for any number field K, 
{PeP%(K): Hx(P) < C} 
is a finite set. (Recall (I §2) that Q(P) is the minimal field of definition for P.) 


Proor. Let Pe P*(Q). Take homogeneous coordinates for P, say 
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P =[Xo,..-, Xn] 


with some x; = 1. Then Q(P) = Q(xo, ..., xy), and we have the easy estimate 


Haw)(P) = I] max {|x;|,}" 


veMqp 0<i<N 
> max ( [] max{\xil,, 1) 
O<i<N \vEeMaqyp) 


= max Hg@)(x)). 
0<i<N 


Thus if H(P) < C and [Q(P): Q] < d, then 
max H(x) <C and max [Q(x,):Q]<d. 
<N 


O<i<N 0<i< 
It thus suffices to prove that the set 
{xeQ:H(x)<C and [Q(x):Q]<d} 


is finite (Ie. We have reduced to the case N = 1.) 

Suppose x€Q is in this set, and let e = [Q(x): Q], so e <d. Further let 
X = X4,X5,..., X- be the conjugates of x (in Q), so the minimal polynomial of 
x over Q is 


f(T) = (T — x1): (T— x.) = T° +.a,T°* +++: +a,€Q[T]. 


Now 
H([1, a,,..., @]) < 2°? ll H(x;) from (5.9) 
j=l 


= 2°1H (x) from (5.10) 
<(2C)’ since H(x) << Cande<d. 


Since the a,’s are in Q, it is now clear that for given C and d there are only 
finitely many possibilities for the polynomial f,(T). (Ie. We are using the 
special case of the theorem with K = Q, for which it is easy to prove. See (5.1, 
5.3).) Since for a given polynomial there are at most d elements in our set, this 
proves that the set is finite. O 


Remark 5.12. Tracing through the proof of (5.11), it is easy enough to give an 
upper bound, in terms of C and d, for how many points are in the set 
{PeP%(Q):H(P)<C and [Q(P):Q]<d}. 
(See exer. 8.6a.) More difficult is to give a precise asymptotic estimate for 
#{PeP%(K): Hx(P) < C} 


as a function of C for C — oo. Such an estimate has been given by Schanuel. 
(See [Scha] or [La 7, Ch. 3, §5].) 
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§6. Heights on Elliptic Curves 


In this section we use the general theory of heights as developed in the 
previous section to define height functions on elliptic curves. The main 
theorems (6.2, 6.4) exhibit the interplay between the height of points and the 
addition law on the elliptic curve. As an immediate corollary, we will deduce 
the remaining results needed to prove the Mordell—Weil theorem for arbi- 
trary number fields (6.7). 

It is convenient to use the “big-O” notation. 


Notation. Let f, g be two real-valued functions on a set Y. Then we write 
f= 9+ O(1) 
if there are constants C, and C, so that 
C, < f(P) — g(P) < C, for all Pe S. 


If only the lower (respectively upper) inequality is satisfied, then we naturally 
write f > g + O(1) (respectively f < g + O(1)). 

Let E/K be an elliptic curve. Recall (II.2.2) that any non-constant function 
f €K(E) determines a surjective morphism (which we also denote by f) 


f:E>P! 
p4Jteal if P is a pole of f 
= 
[f(P), 1] otherwise. 


It would be reasonable to define a height function on E(K) by setting 
H,(P) = H(f(P)). However, the height function H tends to behave multi- 
plicatively (as in (5.6) for example), while for our purposes it will be more 
convenient to have a height which behaves additively. This prompts the 
following definitions. 


Definition. The (absolute logarithmic) height on projective space is the 
function 


h:P\(Q)->R 
h(P) = log H(P). 
Notice that from (5.4b), h(P) > 0 for all P. 
Definition. Let E/K be an elliptic curve and f ¢ K(E) a function. The height on 
E (relative to f) is the function 
h,: E(K) > R 
h,(P) = h(f(P)). 
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We start by transcribing the finiteness result from section 5 into the current 
setting. 


Proposition 6.1. Let E/K be an elliptic curve and f€K(E) a non-constant 
function. Then for any constant C, 


{Pe E(K): h,(P) < C} 
is a finite set. 
ProoF. The function f gives a finite-to-one map of the set in question to the 
set 
{QeP'(K): H(Q) < e}. 
(Note that since f ¢ K(E), any Pe E(K) will go to a point f(P)eP*(K).) Now 
apply (5.11) to this last set. Oo 


The next theorem gives a fundamental relationship between height func- 
tions and the addition law on an elliptic curve. 


Theorem 6.2. Let E/K be an elliptic curve and let f ¢ K(E) be an even function 
(i.e. fo[—1] =f). Then for all P, Qe E(K), 


h,(P + Q) + h,(P — Q) = 2h,(P) + 2h,(Q) + O(1). 


(Here the constants inherent in the O(1) depend on the elliptic curve E and the 
function f, but are of course independent of P and Q). 


Proor. Choose a Weierstrass equation for E/K of the form 
E:y?=x3+Ax+B. 


We start by proving the theorem for the particular function f = x. The 
general case will then be an easy corollary. 

Since h,(O) = 0 and h,(—P) =h,(P), the result clearly holds if P = O or 
Q = O. We now assume that P, Q # O, and write 


x(P) = [x,, 1], x(Q) = [x2, 1], 
x(P + Q)=[x3,1],  x(P—Q)=[%z, 1]. 


(Here x, or x, may equal oo if P = +Q.) Now the addition formula (III.2.3d) 

and a little bit of algebra yield the relations 

2 

xp y= (x, + xaN4 XX) + 4B 

(x1 + X2)° — 4x1Xx2 
(x1 x2 — A)? — 4B(x, + x) 

X3X4 = 2 . 

(x, + Xz)" — 4x1 X2 
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Define a map g: P? > P? by 
g([t, u, v]) = [u? — 4tv, 2u(At + v) + 4Br?, (v — At)? — 4Btu]. 
Then the formulas for x, and x, show that there is a commutative diagram 


Ex ESExE 


{ 1 
ol6h 6 CxP! PxP' a, 
| i 
p> + Pp 
where 
G(P, Q) = (P + Q, P — Q), 
and the vertical map a is the composition of the two maps 
Ex EP! x P! and P! x Pp! Pp? 


(P, Q) > (x(P), x(Q)) (Lo1, Bi], [%2, Bo) > [Bi Bo, &1 Bo + %2 By, 1 %2]. 


(The idea here is to treat t, u, vas 1, x; + X2,X,X,. Then g([t, u, v]) becomes 
[1, x3 + X4, X3X4]-) 

The next step is to show that g is a morphism, so as to be able to apply 
(5.6). By definition (cf. 1.3.3), this means we must show that except for t = 
u = v = 0, the three homogeneous polynomials defining g have no common 
zeros. Suppose now that g([t, u, v]) = [0, 0, 0]. If t = 0, then from 


u?— 4tv=0 and (v— At)? — 4Btu =0, 


we see that u = v = 0. Thus we may assume that t # 0, and so it makes sense 
to define a new quantity x = u/2t. (Intuition: If we write t, u, v as 1, x, + X>, 
X1X>, then the equation u? — 4tv = 0 becomes (x, — x2)? = 0, 80 x, = X2 = 
u/2t. In other words, we are now dealing with the case that P = +Q.) Notice 
that the equation u? — 4tv = 0 can be written as x” = v/t. Now dividing the 
equalities 
2u(At + v) + 4Bt?=0 and (v— At)? —4Btu=0 

by ¢? and rewriting them in terms of x yields the two equations 

w(x) = 4x(A + x?) + 4B = 4x3 + 4Ax + 4B = 0, 

o(x) = (x? — A)? — 8Bx = x* — 2Ax? — 8Bx + A? =0. 
[These polynomials should be familiar. Their ratio ¢(X)/w(X) is exactly the 
rational function which appears in the duplication formula (III.2.3d).] To 


show that w(X) and 4(X) have no common root, one need merely verify the 
formal identity already used in (4.3), 


(12X? + 16A)¢(X) — (3X3 — SAX — 27B)W(X) = 4(443 + 27B?) 4 0. 


(Note how the non-singularity of the Weierstrass equation plays a crucial 
role here.) This completes the proof that g is a morphism. 
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We return to our commutative diagram, and compute 
h(o(P + Q, P — Q)) = h(co G(P, Q)) 
= h(goa(P, Q)) 
= 2h(o(P, Q)) + O(1) from (5.6), 


since g is a morphism of degree 2. Now to complete the proof of (6.2) for 
f =x, we will show that for all R,, R,¢E(K) there is a relation 


h(o(Ry, Rz)) = h,(Ry) + h,(R2) + OC). 
Then using this relation twice, once on each side of the equation 
h(o(P + Q, P — Q)) = 2h(a(P, Q)) + O(1), 


will give the desired result. 
One immediately verifies that if either R, = O or R, = O, then h(o(R,, R2)) 
equals h,(R,) + h,(R,). Otherwise, we may write 


x(R,) = [01,1] and x(R2) = [a, 1], 
and so 
A(o(Ry, Rz)) = h([1, «4, + %2,0,%2]) and h,(Ry) + h,(R2) = h(a,) + h(a,). 
Then from (5.9) applied to the polynomial (T + «,)(T + «,), we obtain the 
desired estimate 
h(a) + h(a) — log 4 < A(L1, a + a2, 1 %2]) < h(e,) + h(a) + log 2. 


Finally, to deal with the case of an arbitrary even function fe K(E), we 
prove that 


hy = 3(deg fh, + O(1). 


From this, (6.2) follows immediately by multiplying the known relation for h, 
by 3(deg f). Thus the following lemma will complete the proof of (6.2). O 


Lemma 6.3. Let f, g ¢ K(E) be even functions. Then 
(deg g)hy = (deg f)h, + O(1). 


Proor. Let x, ye K(E) be Weierstrass coordinates for E/K. The subfield of 
K(E) consisting of even functions is exactly K(x) (III.2.3.1), so we can find a 
rational function p(X)e K(X) so that there is a commutative diagram 
x 7 sd 
psp, 


Hence using (5.6) and the fact that p is a morphism (II.2.1), 
hy = h,o p = (deg p)h, + O(1). 
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But from the diagram, 
deg f = deg x deg p = 2 deg p, 

so we find 

2h, = (deg f)h, + O(1). 
The same reasoning for g yields 

2h, = (deg g)h, + O(1), 
and combining these last two equalities gives the desired result. O 
Corollary 6.4. Let E/K be an elliptic curve and f € K(E) an even function. 
(a) Let QE E(K). Then for all Pe E(K), 

h,(P + Q) < 2h,(P) + O(1), 


where the O(1) depends on E, f, and Q. 
(b) Let me Z. Then for all Pe E(K), 


h,([m] P) = m*h,(P) + O(1), 
where the O(1) depends on E, f, and m. 


ProorF. (a) This follows immediately from (6.3), since h,(P — Q) > 0. 

(b) Since f is even, it suffices to consider m > 0. Further, the result is trivial 
for m = 0, 1. We finish the proof by induction. Assume it is known for m — 1 
and m. Replacing P, Q in (6.3) by [m]P, P, we find 


h,({m + 1] P) = —h,([m — 1] P) + 2h,([m] P) + 2h,(P) + O(1) 


= (—(m — 1)? + 2m? + 2)h,(P) + O(1) by the induction 
hypothesis 


= (m + 1)?h,(P) + O(1). oO 


Remark 6.5. The above results (6.3, 6.4) are clearly also true for an odd 
function f, since then f? is even, and one easily checks that h,2 = 2hy. 
Although we will not prove it, they are true for arbitrary fe K(E) “to within 
e”. To be precise, say for (6.4b), it is true that for every ¢ >0 there are 
inequalities 


(1 — e)m7h, — O(1) < hy o[m] < (1 + e)m7h, + O(1), 


where now the O(1) depends on E, f, m, and «. (See exer. 9.14c. For a proof in 
a much more general setting, see [La 7, Ch. 4, Cor. 3.5].) 


Remark 6.6. Theorem 6.2 seems to say that the height function h, is “more or 
less” a quadratic form. In section 9 we will see that there is an actual quadra- 
tic form, called the canonical height, which differs from h, by a bounded 
amount. 
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It should be clear that we now have all the tools needed to complete the 
proof of the Mordell—Weil theorem. 


Theorem 6.7 (Mordell—Weil theorem). Let K be a number field and E/K an 
elliptic curve. Then the group E(K) is finitely generated. 


Proor. Choose any even, non-constant function f € K(E), for example the x- 
coordinate function on a Weierstrass equation. The Mordell—Weil theorem 
will now follow immediately from the weak Mordell—Weil theorem (1.1) 
with m= 2 and the descent theorem (3.1), once we show that the height 
function 


h,: E(K) > R 
has the following three properties. 


(i) Let Q¢ E(K). There is a constant C,, depending on E, f, and Q, so that 
for all Pe E(K), 


h,(P + Q) < 2h,(P) + Cy. 
(ii) There is a constant C,, depending on E and f, so that for all Pe E(K), 
h,([2] P) > 4h,(P) — Cp. 
(iii) For every constant C3, 
{P € E(K):h,(P) < C;} 
is a finite set. 


But (i) is a restatement of (6.4a), (ii) is immediate from the m = 2 case of (6.4b), 
and (iii) is just (6.1). This completes the proof of the Mordell—Weil theorem. 
O 


§7. Torsion Points 


The Mordell—Weil theorem implies that the group of rational torsion points 
on an elliptic curve is finite. Of course, this also follows from the correspond- 
ing result for local fields. , 

Since an elliptic curve over a number field K can be treated as an elliptic 
curve over the completion K, for each ve Mg, the local integrality conditions 
for torsion points (VII.3.4) can be pieced together to give the following global 
statement. 


Theorem 7.1. Let E/K be an elliptic curve with Weierstrass equation 
y? + ayxy + a3y =x> + a,x? + ayx + ag 


such that all of the a;’s are in R. Let P€ E(K) be a point of exact order m > 2. 
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(a) If mis not a prime power, then 
x(P), y(P)eER. 
(b) If m = p" is a prime power, for each ve Mg let 


n n-1 


r= Fea (L ] is greatest integer). 
Then 

ord,(x(P)) = —2r, and ord,(y(P)) > —3r,. 
In particular, x(P) and y(P) are v-integeral if ord,(p) = 0. 


The following corollary was proven independently by Lutz and Nagell, 
who had discovered divisibility conditions somewhat weaker than (7.1). 


Corollary 7.2 ({Lut], [Nag]). Let E/Q be an elliptic curve with Weierstrass 
equation 

y? =x3 + Ax + B, A, BeZ. 
Suppose P € E(Q) is a non-zero torsion point. Then 
(a) x(P), y(P)eZ. 
(b) Either [2]P = O, or else y(P)? divides 4A? + 27B?. 
Proor. (a) Let P have exact order m. If m = 2, then y(P) = 0, so x(P)éZ since 
it is the root of a monic integral polynomial. If m > 2, then the result follows 
immediately from (7.1), since the quantity r, in (7.1b) is necessarily 0. 


(b) We assume that [2]P # O, so y(P) # 0. Then applying (a) to both P and 
[2]P, we have x(P), y(P), x([2P])eZ. Let 


b(X) = X* — 2AX? — 8BX + A? 


and 
W(X) = X34 AX +B. 


Then the duplication formula (III.2.3d) reads 
x([2P]) = o(x(P))/4p(x(P)). 
On the other hand, we have the usual polynomial identity (4.3) 
S(X)(X) — g(X)p(X) = 4A® + 27B?. 


(Le. f(X) = 3X? + 4A and g(X) = 3X? — 5AX — 27B.) Now put X = x(P), 
and use the duplication formula and the fact that y(P)? = (x(P)) to obtain 


y(P)?[4f(x(P))x((21P) — g(x(P))] = 44° + 27B?. 


Since all quantities in this equation are integers, the result follows. Oo 
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Remark 7.3.1. A glance at the proof of (7.2b) will show that we actually 
proved that any point Pe E(Q) such that x(P) and x([2]P) are both integers 
has the property that y(P)* divides 4A* + 27B?. The same argument works 
for number fields. Further, even if x(P) or x([2]P) is not integral, any bound 
for their denominators (such as (7.1b)) will give a corresponding bound for 
y(P) (see exer. 8.11). 


Remark 7.3.2. Recall (VII.3.2) that in practice, one of the quickest methods 
for bounding the torsion in E(K) is to choose various finite places v for which 
E has good reduction, and then use the injection (VII.3.1) 


E(K,)[m] > E(k,) 


for m relatively prime to char(k,). 


Example 7.4. The Weierstrass equation 
E:y? = x3 — 43x + 166 

has 

4A? + 27B? = 425984 = 215-13. 
Hence any torsion point in E(Q) has its y-coordinate in the set 

{0, +1, +2, +4, +8, +16, +32, +64, +128}. 

A little bit of work with a calculator reveals the points 

{(3, +8), (—5, +16) (11, +32)}. 


On the other hand, since E has good reduction modulo 3, we know that 
Exors(Q) injects into E(F;) (cf. VII.3.2); and one checks that # E(F,) = 7. This 
still does not prove anything, since the divisibility condition in (7.2b) is only 
necessary, not sufficient. But now using the doubling formula for P = (3, 8), 
one finds 


x(P)=3, x((2]P)=—5, x([4]P)=11,  x([8]P) =3. 


Hence [8]P = +P, so P is a torsion point of exact order 7 or 9. (It doesn’t 
have order 3, since x(P) # x([2]P).) From above, the only possibility is order 
7,80 we conclude that E,,,,(Q) is a cyclic group of order 7 consisting of the six 
points listed above together with O. 


All of the above discussion has focused on characterizing the torsion sub- 
group of a given elliptic curve. Another sort of question one might ask is the 
following. Given a prime p, does there exist an elliptic curve E/Q such that 
E(Q) contains a point of order p? The answer in general is no. For example, 
E(Q) can never contain a point of order 11, a fact which is by no means 
obvious. Such a statement, which deals uniformly with the set of all elliptic 
curves, naturally tends to be more difficult to prove than a result such as (7.2), 
in which the bounds obtained become weaker as the elliptic curve is varied. 
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The definitive characterization of torsion subgroups over Q is given by the fol- 
lowing theorem, whose proof is unfortunately far beyond the scope of this book. 


Theorem 7.5 (Mazur [Maz 1], [Maz 2]). Let E/Q be an elliptic curve. Then the 
torsion subgroup E,,,,(Q) is one of the following fifteen groups: 
Z/NZ 1<N<10 or N=12; 
Z/2Z x Z/ANZ 1<NK<4. 
Further, each of these groups does occur as an E,,,,(Q). (For an example of 
each possible group, see exer. 8.12.) 


For arbitrary number fields, there is the following result of Manin. 


Theorem 7.6 ([Man 2]). Let K/Q be a number field and pe Z a prime. There is 
a constant N = N(K, p) so that for all elliptic curves E/K, the p-primary 
component of E(K) has order dividing p’. 


Taken together, (7.5) and (7.6) provide the best evidence to date for the 
following longstanding conjecture. 


Conjecture 7.7. Let K/Q be a number field. There is a constant N = N(K) so 
that for all elliptic curves E/K, 


|Etors(K)| < N. 


Remark 7.8. For those torsion subgroups which are allowed in Mazur’s 
theorem (7.5), it is a classical result that the elliptic curves E/K having the 
specified torsion subgroup all lie in a 1-parameter family. For example, the 
curves E/K with a point P € E(K) of order 7 all have Weierstrass equations of 
the form 
y? + (1 +d — d’)xy + (d? — d)y = x? + (d? — d)x? P = (0, 0) 
with 
deK and A = d"(d — 1)"(d* — 8d” + 5d + 1) 40. 

(See exer. 8.13a, b. A complete list is given in [Ku].) In general, the elliptic 
curves E/K with a point Pe E(K) of order m > 4 are parametrized by the K- 


rational points of another curve, called a modular curve. (See appendix C §13 
and exer. 8.13c.) 


§8. The Minimal Discriminant 


Let E/K be an elliptic curve. For each non-archimedean absolute value 
ve Mg, we can find a Weierstrass equation for E, 


2 ss 2 
Ww + Qs yXyVy ne a3, vv = Xy + QZ yXy + 4, vXv =F 96,» 
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which is a minimal equation for E at v. Let A, be the discriminant of this 
equation. 


Definition. The minimal discriminant of E/K, denoted Dy)x, is the (integral) 
ideal of K given by 


ox! dy(Ay 
Dux = IT po" oe 


ve Mx 


Here p, is the prime ideal of R associated to v. Thus Dz/x catalogs the 
valuation of the minimal discriminant of E at every place ve Mp. Ina certain 
sense, it is a measure of how arithmetically complicated the elliptic curve E is. 


We now ask whether it is possible to find a single Weierstrass equation 
which is simultaneously minimal for every ve Mg. Let 
y? + ayxy + azy = x? + a,x? + 4x + a5 


be any Weierstrass equation for E/K, say with discriminant A. Then for each 
ve My we can find a change of coordinates 


x= urx, +7, y=uby, + suzx, + ty 


which gives the minimal equation listed above. As usual, the two discrimi- 
nants are related by 


A= u}7A,. 
Hence if we define an ideal, depending on A, by the equation 


—ordy(uy 
ne 


ve M2 


then the minimal discriminant can be written 
Dex = (A)aj?. 


Lemma 8.1. With notation as above, the ideal class of K corresponding to a, is 
independent of A. 


Proor. Take another Weierstrass equation for E/K, say with discriminant A’. 
Then A = u?7A’ for some ue K*, so directly from the definitions we see that 


(A’)a4? = Dex = (A)aj? = (A’) [(u)a,]'?. 
Hence ay, = (u)a,. O 


Definition. The Weierstrass class of E/K, denoted Gg)x, is the ideal class of K 
corresponding to any ideal a, as in (8.1). 


Definition. A global minimal Weierstrass equation for E/K is a Weierstrass 
equation 
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y? + ayxy + a3y =X? + a,x? + agx + dg 


for E/K such that a,, a,, 43, 44, 4g € R and the discriminant A of the equation 
satisfies Dy)x = (A). 


Proposition 8.2. There exists a global minimal Weierstrass equation for E/K if 
and only if g)x = (1). 


Proor. Suppose E/K has a global minimal Weierstrass equation, say with 
discriminant A. Then Yz/x = (A), so with notation as above, 


12 ord,(a,) = ord,(Dg/x) — ord, (A) = 0. 


Hence a, = (1), So Gg/x = class of a, = (1). 

Conversely, suppose d/x = (1). Choose any Weierstrass equation for E/K, 
say with coefficients a,¢ R and discriminant A; and as above, for each ve My 
let 


x= 2X, + ry y = usy, + Sills X + t, 


be a change of variables which produces a minimal equation at v, say with 
coefficients a; , and discriminant A,. We may clearly assume that u, = 1 and 
r, = 8, =t, =0 for all but finitely many v, say for all v not in some set 
Sc Mg. Note also that all of u,, r,, s,, t, are v-integral (VII.1.3d). 
By definition, the fact that @;)x = (1) means that the ideal 
I] porde(u) 


ve M2 
is principal, generated by some ue K*. Then 
ord,(u) = ord,(u,) for all ve MQ. 


Now by the Chinese remainder theorem [La 2, Ch. I, §4], there are elements 
r, s, t€ R so that for the finitely many ve S, we have 


ord,(r — r,), ord,(s — s,), ord,(t —t,)> max {ord,(uia;, ,)}. 
i=1,2,3,4,6 


Now consider the new Weierstrass equation for E/K given by the change 
of coordinates 
x=ux +r y=uey t+ sux’ +t, 
which has coefficients a; and discriminant A’. Then A = u'*A’, so from above 
ord,(A’) = ord,(u~?,A) = ord,((u,/u)'?A,) = ord,(A,). 


Thus the new equation is globally minimal provided that its coefficients are 
all integral. But this is easily checked using the transformation formulas 
(IIL.1.2). If v¢S, then ord,(u) = 0, so each aj is v-integral, since it is a poly- 
nomial in r, s, t, a,, ..., 4g. For veS, we illustrate the argument for a, the 
other coefficients being done similarly. Thus 
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ord,(u7a,) = ord,(a, — sa, + 3r — s*) 
= ord,[u2a,,, —(s — s,)(a, +5 + 8,) + 3(r —1,)] 


= ord,(u? ,»)s 


where the last line follows from the previous one by the choice of r, s and the 
non-archimedean nature of v. Since 
ord,(u) = ord,(u,) and ord,(a,,,) > 0, 


this gives the desired result. im 


Corollary 8.3. If K has class number 1, then every elliptic curve E/K has a 
global minimal Weierstrass equation. In particular, this is true for K = Q. (The 
converse is also true; see exer. 8.14.) 


Example 8.4. The equation 
y=x> +16 
has discriminant A = —2!*33. It is not minimal at 2. The substitution 
x = 4.’ y=8y +4 
gives the global minimal equation 
(YP ty =(’. 
Example 8.5. Let K = Q(./— 10), so K has class number 2, the class group 


being generated by the prime ideal p = (5, ./—10). Consider the elliptic 
curve E/K given by the equation 


E:y? =x? + 125. 


This equation has discriminant A = —2*335°, so it is already minimal at 
every prime of K except possibly for the prime p, which lies over 5. (See 
VII.1.1.) For p, the change of coordinates 


x=(/-10?x y= (/—10)y' 
gives an equation 
(P= (x -2°3 
which has good reduction at p. Hence 
Dujx = (243°) 
and 
Qz/x = ideal class of p. 


In particular, there is no global minimal Weierstrass equation for E/K. 
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Remark 8.6. If K has class number | and E/K is an elliptic curve, then one 
can find a global minimal Weierstrass equation for E/K by finding local 
minimal equations (e.g. by using Tate’s algorithm [Ta 6]) and then following 
the proof of (8.2). There is also an algorithm, due to Laska ([Las 1]), which is 
both fast and easy to implement on a computer. 


Even if R has class number greater than 1, it is often useful to know that an 
elliptic curve E/K has a global Weierstrass equation which is in some sense 
“almost minimal”. The following proposition gives one possibility. (For an- 
other, see exer. 8.14c.) 


Proposition 8.7. Let S < Mx be a finite set of absolute values containing Mg 
and all places dividing 2 and 3. Further assume that the ring of S-integers Rg is 
a principal ideal domain. Then every elliptic curve E/K has a model 


E:y?=x?+Ax+B 
with A, Be Rs and discriminant A = —16(4A> + 27B?) satisfying 
DaxRs == ARs. 


(Such a Weierstrass equation might be called S-minimal.) 


Proor. Choose any Weierstrass equation for E/K of the form 

E:y?=x>+ Ax +B, 
and let A = —16(4A? + 27B?). For each ve My, v¢S, choose a u,eK* so 
that the substitution 

X=Uuyx y=upy’ 
gives a minimal equation at v. Thus 

v(Dzgx) = v(A) — 12v(u,) for all ve Mx, v€S. 
Since Rg is a principal ideal domain, there is a ue K* such that 
v(u) = v(u,) for all ve Mx, v€S. 
Then the equation 
E:y?=x3+u*Ax +u°B 


has the desired property. | 


§9. The Canonical Height 


Let E/K be an elliptic curve and f € K(E) an even function. Theorems 6.2 and 
6.4 say that the height function h, is more or less a quadratic form, at least 
“up to O(1)”. André Néron asked whether one could find an actual quadratic 
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form which differs from h, by a bounded amount. He constructed such a 
function by writing it as a sum of “quasi-quadratic” local functions ([Né 3]). 
At the same time, Tate came up with a simpler global definition. We will give 
Tate’s construction here. (See appendix C §18 for a discussion of local height 
functions.) 


Proposition 9.1 (Tate). Let E/K be an elliptic curve, f ¢ K(E) a non-constant 
even function, and P € E(K). Then the limit 


arn . dea Sit m4" hy([2"]P) 


exists, and is independent of f. 


Proor. We show that the sequence is Cauchy. From (6.4b) with m = 2, there 
is a constant C so that for all Qe E(K), 


Ihy(L2]Q) — 4h,(Q)| < C 
Now let N > M > 0 be integers. Then 
|4-%h,([2%] P) — 4-“h,([2™] P)| 


N-1 
= os 4-" "thy ([2"**] P) — 4-"h, ([2"]P) 


N-1 
< yy 4-""*|h,([2"**]P) — 4h,([2"] P)| 


N-1 
<>) 4""'C using Q = [2"]P above 
n=M 


< Cia. 


This shows that the sequence 4~%h,([2"]P) is Cauchy, so it converges. 
Next suppose g € K(E) is another non-constant even function. Then from 
(6.3), 


(deg g)h, = (deg f)h, + O(1), 
so 
(deg g)4-"h,([2"] P) — (deg f)4-"h,([2*] P) = 4-*O(1) +0 
as N — oo. Hence the limit does not depend on the choice of the function f. 


O 


Definition. The canonical (or Néron—Tate) height on E/K, denoted h or hg, is 
the function 


h: E(K)>R 
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defined by 


1 


A(P) = deg 


Lim 4-%h,([2"] P). 
f N>o 
(Here f € K(E) is any non-constant even function.) 


Remark 9.2. From (9.1), the canonical height is well-defined and is indepen- 
dent of the choice of f. 


Theorem 9.3 (Néron—Tate). Let E/K be an elliptic curve and h the canonical 
height on E. _ 
(a) For all P, Q€ E(k), 


h(P + Q) + h(P — Q) = 2A(P) + 2h(Q) (parallelogram law). 
(b) For all Pe E(K) and meZ, 
h({m] P) = m7h(P). 
(c) his a quadratic form on E. (In other words, h is even, and the pairing 
<, >: E(K) x E(K)>R 
<P, Q> = h(P + Q) — h(P) — h(Q) 


is bilinear.) 
(d) Let Pe E(K). Then h(P) > 0, and 


h(P) =0 if and only if Pisa torsion point. 
(e) Let f € K(E) be an even function. Then 
(deg f)h = hy + O(1), 


where the O(1) depends on E and f. 
Further, if h' : E(K) > R is another function which satisfies (e) for some non- 
constant function f and (b) for any one integer m > 2, then h' = h. 


ProorF. We will start by proving (e), and then return to (a)-(d). 
(ec) In the course of proving (9.1), we found a constant C (depending on the 
choice of f) so that for all integers N > M > 0 and all points Pe E(K), 


|4-"hay([2*]P) — 4M hy(L2M]P)| < C/A, 
Taking M = 0 and letting N > oo gives the desired estimate 
\(deg f)h(P) — hy(P)| < C/4. 
(a) From (6.2), we have 


h,(P + Q) + h,(P — Q) = 2h,(P) + 2h,(Q) + O(1). 
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1 
Replace P, Q by [2%]P, [2%]Q, multiply through by rrr ae and let 


N — oo. The O(1) term disappears, and we obtain 
A(P + Q) + A(P — Q) = 2A(P) + 2A(Q). 
(b) From (6.4b), 
h,([m] P) = m7h,(P) + O(1). 
As usual, replace P by [2%]P, multiply by 4~%, and let N > oo. (Alternative 
proof: Use (a) and induction on m.) 
(c) It is a standard fact from linear algebra that a function satisfying the 
parallelogram law is quadratic. For completeness, we include a proof. 
Putting P = O in the parallelogram law (a) shows that h(—Q) = A(Q), so h 
is even. By symmetry, it suffices to prove that 
<P + R, Q> = <P, Q> + <R, Q), 

which in terms of h becomes 
A(P + R+Q)—A(P + R)—A(P + Q) — A(R + Q) + A(P) + A(R) + h(Q) = 0. 
Now four applications of the parallelogram law (and the evenness of h) give 

h(P + R+Q)+hA(P + R— Q)—2h(P + R) — 2h(Q) =0, 

A(P — R+Q)+h(P + R — Q) — 2A(P) — 2h(R — Q) = 0, 

A(P —R+Q)+h(P + R + Q)— 2A(P + Q) — 2A(R) = 0, 

2h(R + Q) + 2h(R — Q) — 4A(R) — 4A(Q) = 0. 

The alternating sum of these four equations is the desired result. 
(d) The first conclusion is clear, since h,(P) > 0 for all functions f and all 


points P. For the second, note that one implication is immediate; since if P is 
a torsion point, say with [m]P = O for some m > 1, then (b) implies that 


h(P) = m~?h([m]P) = m~7h(0) = 0. 
Conversely, let Pe E(K’) for some finite extension K’/K, and suppose that 
A(P) = 0. Then for every integer m, h([m]P) = m7h(P) = 0. Hence from (e) 
there is a constant C so that for every me Z, 
h,([m]P) = |(deg f)h([m] P) — h,([m] P)| < C. 
Thus the set {P, [2] P, [3]P, ...} is contained in 
{Qe E(K’):h,(Q) < C}. 


But from (6.1), the latter is a finite set, so P must have finite order. 
Finally, to prove uniqueness, suppose fh’ satisfies 


h'o[m]=m7h’ and (deg f)h’ =h, + O(1) 
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for some integer m > 2. Repeated application of the first equality yields 
fh o[m™]=m?%f’ for N=1,2,.... 


Further, since h also satisfies (e), we have 


h' —h=O(\). 
Hence 
h =m-*f' o[m™] 
=m ?%(ho[m™] + O(1)) 
=h+m%O(1) since h satisfies (b). 
Letting N > 00 yields h’ = h. O 


Remark 9.4. Notice that the Mordell—Weil theorem implies that R ® E(K) is 
a finite dimensional real vector space, while (9.3c,d) implies that fA is a 
positive definite quadratic form on the quotient group E(K)/E,,,.(K). [Here 
E,ors(K) is the torsion subgroup of E(K).] Now E(K)/E,,,.(K) sits as a lattice 
in R@E(K), so it would appear to be clear that the extension of fh to 
R ® E(K) is also positive definite. This is true, but as was pointed out by 
Cassels, one must use more than just (9.3c, d). 


Lemma 9.5, Let V be a finite dimensional real vector space, and let L< V bea 
lattice. Suppose q:V—-R is a quadratic form which has the following 
properties: 


(i) Let PEL. Then q(P) = 0 if and only if P = 0. 


(ti) For every constant C, 
{PeL:q(P) < C} 
is a finite set. 


Then q is positive definite on V. 
Proor. Choose a basis for V so that for X = (x,,..., x,)€V, q has the form 
Ss t 
A(X) = Vx} — Y xh 
= = 


where s + t <r = dim(V). (See, e.g. [VdW, §12.7] or [La 8, Ch. XIV, §3, §7].) 
This basis gives an isomorphism V = R"; let » be the measure on V corres- 
ponding to the usual measure on R”. We now need the following elementary 
result, which is due to Minkowski: 


Let Bc V be a convex set which is symmetric about the origin. If p(B) is 
sufficiently large, then B contains a non-zero lattice point. 


For a proof, see for example [H—W, thm. 447] or [La 2, Ch. 5, §3]. Now look 
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at the sets 
Ss t 
B(e, 6) = {x =(x;,...,%,)EV: } x? <eand } x2,,< a. 
i=1 i=1 


They are convex and symmetric about the origin for any ¢, 6 > 0. Let 
A = inf{q(P): PEL, P #0} 


From (i) and (ii), we have 4 > 0. 

Now suppose that q is not positive definite on V, so s <r. Then from 
Minkowski’s theorem, the set B(3, 6) contains a non-zero lattice point P if 6 
is sufficiently large. (The volume of B(4A, 6) is infinite if s + t <r, and grows 
like 6’? as 5 > & ifs + t =r.) But then 


s t 
q(P) = > x? - See 
i=1 i=1 2 


contradicting the definition of 2. Therefore q is positive definite on V. 
O 


Proposition 9.6. The Néron—Tate height is a positive definite quadratic form on 
the vector space R ® E(K). 


Proor. This follows from (9.5) applied to the lattice E(K)/E,,,,(K) inside 
R ® E(K). Condition (i) of (9.5) is exactly (9.3c, d); while condition (ii) of (9.5) 
follows from (9.3e), which says that bounding f is the same as bounding hy, 
and then applying (6.1). Ol 


We now have the following quantities associated to E/K: 


R ® E(K) a finite dimensional vector space, 
a positive definite quadratic form on R © E(k), 
E(K)/E,o,5(K) a lattice in R @ E(K). 


Now in such a situation, an extremely important invariant is the volume of a 
fundamental domain for the lattice, computed with respect to the metric 
induced by the quadratic form. (For example, the discriminant of a number 
field K is the volume of its ring of integers with respect to the quadratic form 
x > tracex/@(x’). Similarly, the regulator of K is the volume of its unit group, 
using the logarithm mapping and the usual metric on Euclidean space.) 


Definition. The Néron—Tate pairing on E/K is the bilinear form 
<, >: E(K) x E(K) +R 
defined by 
<P, Q) = h(P + Q) — h(P) — h(Q). 
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Definition. The elliptic regulator of E/K, denoted Rg), is the volume of a 
fundamental domain for E(K)/E,,,,(K), computed using the quadratic form h. 
In other words, choose P,, ..., P.€ E(K) to generate E(K)/E,,,,(K). Then 


Ryjx = det(<P,, Pi) )isiss . 


SJsSr 
(If r = 0, we set Rz)x = 1 by convention.) 
As an immediate corollary to (9.6), we obtain: 


Corollary 9.7. The elliptic regulator is always positive. 


Remark 9.8. We have defined the elliptic regulator using the absolute height. 
Sometimes it is defined using the height relative to the given field K. As is 
immediately clear, this new regulator would differ from the old regulator by a 
factor of [K : Q]’. 


Since A(P) > 0 for all non-torsion points Pe E(K), a natural question to 
ask is how small can A(P) be? One would like to say that h(P) must be large if 
the elliptic curve is “complicated” in some sense. The following precise con- 
jecture is a slight generalization of a conjecture of Lang [La 5, p. 92]. 


Conjecture 9.9. Let E/K be an elliptic curve with j-invariant j, and minimal 
discriminant Dz). There is a constant c > 0, depending only on [K : Q], so that 
for all non-torsion points P € E(K), 


A(P) > c max {h(j,), log Nea zyx; 1}. 


Note that the strength of the conjecture lies in the fact that the constant c is 
independent of both the elliptic curve E and the point P. Such estimates have 
applications to counting integral points on elliptic curves (see (IX.3.5) for a 
discussion). Conjecture 9.9 is known to be true if one restricts attention to 
elliptic curves whose j-invariant is integral; and more generally such an 
estimate exists with the constant c depending on [K : Q] and the number of 
prime ideals dividing the denominator of j,. (See [Sil 1] and [Sil 5] for 
details. A special case is given in exer. 8.17.) 


§10. The Rank of an Elliptic Curve 
It follows from the Mordell—Weil theorem (6.7) that the Mordell—Weil group 
E(K) of an elliptic curve E/K can be written in the form 

E(K) © Evors(K) x Z". 


As we have seen (§7), the torsion subgroup E,,,,(K) is relatively easy to 
compute, both in theory and in practice. The rank r is much more mysterious, 
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and an effective procedure for determining it in all cases is still being sought. 
There are very few general facts known concerning the rank of elliptic curves, 
but there are a number of fascinating conjectures. In this section we will 
briefly discuss some of these conjectures. (See chapter X for a description of 
some of the methods which have been developed for actually computing the 
group E(K).) 

The rank of a “randomly chosen” elliptic curve over Q tends to be fairly 
small, and it is quite difficult to produce such curves of even moderately high 
rank. None the less, there is the following “folklore” conjecture. 


Conjecture 10.1. There exist elliptic curves E/Q of arbitrarily large rank. 


The principal evidence for this conjecture comes from work of Shafarevich 
and Tate ([Sha—T]), who show that the analogous result is true for function 
fields (i.e. when Q is replaced by the field of rational functions F,(T)). Néron 
has constructed an infinite family of elliptic curves over @ having rank at 
least 11 (C.20.1.1), and Mestre ([Mes 2]) has produced examples with higher 
rank. For example, Mestre shows that the elliptic curve 


y? — 246xy + 36599029y = x3 — 89199x? — 19339780x — 36239244 


has rank at least 12 over Q; and his ideas can be used to produce curves of 
even higher rank. (However, they do not seem well-suited to producing 
infinite families of such curves.) 

Attached to an elliptic curve E/K is a certain Dirichlet series L,,x(s), called 
the L-series of E/K. (See (exer. 8.19) and (C §16) for the definition of Lg)x.) For 
the moment, it is enough to know that the definition of L;/x(s) involves only 
the number of points on the reduction E(k,) for each finite place ve Mg. 
There is a conjecture, due to Birch and Swinnerton-Dyer, which says that 
Lg)x(s) has a zero at s = 1 whose order exactly equals the rank of E(K). 
Further, the leading coefficient in the Taylor series expansion of Lg)x(s) 
around s = 1 should be expressable in terms of various global arithmetic 
quantities associated to E(K), including the elliptic regulator Rz/,x. Thus in 
some sense, the conjecture of Birch and Swinnerton-Dyer is a version of the 
Hasse principle which applies to elliptic curves, since it (hypothetically) 
shows how information about the v-adic behavior of E for all places ve Mx 
determines global information such as the rank of E(K) and the elliptic 
regulator Rzx. (For a more detailed discussion of L-series and the conjecture 
of Birch and Swinnerton-Dyer, including some of the progress made in prov- 
ing it, see appendix C §16.) 

In addition to having an effective method for computing the rank of an 
elliptic curve, it would be good to have a theoretical description of just how 
large a generating set need be. Based partly on analogy with the problem of 
computing generators for the unit group of a number field.and partly on a 
number of very deep conjectures in analytic number theory, Serge Lang has 
suggested the following. 
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Conjecture 10.2 (Lang [La 9]). Let E/Q be an elliptic curve of rank r. Then 
there is a basis P,,..., P, for the free part of E(Q) satisfying 


A(P) < C.|Peaql?** foralll <i<r. 
/Q 


Here h is the canonical height on E (cf. §9), Dz)q is the minimal discriminant of 
E/Q (cf. §8), and C, is a constant depending only on ¢. (Lang’s conjecture is 
actually more precise, see [La 9].) 


Since h is the logarithmic height, (10.2) says that the x-coordinates of the 
generators might grow exponentially with the discriminant of the curve. 
(Similarly, the height H(u) of a generator for the unit group in a real quadra- 
tic field seems to grow exponentially with the discriminant of the field. Of 
course, it is easy to choose a sequence of such fields for which H(u) grows 
polynomially; but on average, one expects the growth to be exponential.) The 
expected exponential behavior for elliptic curves is illustrated by the follow- 
ing example of Bremner and Cassels [Br—C]. They show that the elliptic 
curve 


y? = x3 + 877x 
has rank 1, and the x-coordinate of a generator P is given by 
x = (612776083187947368101/7884153586063900210)?. 
To compare this example with Lang’s conjecture, we compute 
log h(P)/log| Dz.ql * 0.2, 


which is well within the suggested bound of } + «. 


EXERCISES 


8.1. Let E/K be an elliptic curve, m > 2 an integer, % the ideal class group of K, 
and 


S = {ve Mf: E has bad reduction at v} U {ve Mg: v(m) # 0} U MZ. 


Assuming that E[m] c E(K), prove the following quantitative version of the 
weak Mordell—Weil theorem: 


rank 7mz(E(K)/mE(K)) < 2#S + 2 rankzj_z%q[m]. 
8.2. For each integer d > 1, let E,/Q be the elliptic curve 
E,:y? =x3 — d?x. 
Prove that 
E,(Q) & finite group x Z’ 
for some integer 


r < 2v(2d), 
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8.3. 


8.4. 


8.5. 


8.6. 


8.7. 


8.8. 
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where v(N) denotes the number of distinct primes dividing N. [Hint: Use exer- 
cise 8.1.] 


Let E/K be an elliptic curve and L/K an (infinite) algebraic extension. Suppose 

that the rank of E(M) is bounded as M ranges over all finite extensions M/K 

contained in L. 

(a) Prove that E(M) @ Q is finite dimensional (as a Q-vector space.) 

(b) Assume further that L/K is Galois and E,,,,(L) is finite. Prove that E(L) is 
finitely generated. 


Assume that p,, < K. Prove that the maximal abelian extension of K of expo- 
nent m is the field 

K(a"™ : ae K). 
[ Hint: Use (2.2), which in this case says that every homomorphism 4: Ggx > Hm 
has the form y(o) = «°/« for some ae K*.] 


Let €€H'(Ggx,M) be unramified at v. Prove that there is a 1-cocycle 
c: Ggx > M in the cohomology class of € such that c, = 0 for all oe /,. [Hint: 
Use the inflation-restriction sequence (B.2.4) for I, < Gxjx.] 


Prove Kronecker’s theorem: Let x¢@*. Then H(x) = 1 if and only if x is a root 
of unity. (This is the multiplicative-group version of (9.3d).) 


(a) Give an explicit upper bound, in terms of N, C, and d, for the number of 


points in 
{PeP*(Q): H(P) < C and [Q(P): Q] < d}. 
(b) Let 
vx(N, C) = #{PeP%(K): Hy(P) < C}. 
Prove that 


ve(N,C)~ CX/E(N +1) asC>0, 


where {(s) is the Riemann ¢-function. (For more about v,(N, C), see (5.12).) 


Prove the following standard facts about height functions. 
(a) H(x,x2°*'Xy) < A(x,)H(x2)--* H(xy). 
(b) H(x, + x2 +++ + Xy) < NH(x,)H(x2)** H(xy). 
(c) For P = [Xx,..., xy]eP* and Q =[yo,..., yw JE P™, let: 
P*Q = [Xo Vos XoVis +++ XiVjr ees Xv Yule Pee 
Then 
H(P*Q) = H(P)H(Q). 


(The map (P, Q) > P*Q is the Segre embedding of PY x P™ in PMN*+M+N, See 
(Har, exer. I.2.14].) 
(d) For P = [xo,..., xy] EP", let 


P® =[f,(P),..., fu(P)]eP™%, 
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where M = ("x*) — 1, and fo(X), ...,f(X) are the M possible monomials of 
degree din the N + 1 variables Xo, ..., Xy. Then 


H(P) = H(P)! = H([xé,..., x4]). 


(The map P > P® is the d-uple embedding of P® in P™. See [Har, exer. 
1.2.12])) 
(e) If x #0, then 


H(1/x) = H(x). 
(f) Let K be a number field and let xo, ..., xy €K be algebraic integers. Then 


H([Xo, «+» Xv]) < max H(x,)'), 
O<i<N 


Let Xo, ..., Xy€K, and let b be the fractional ideal of K generated by x,..., Xy. 
Then 


Ax([%o, See PD Xw]) = (Nxiab) * I max {xl}. 


© O<i<N 


Let F be the rational map (1.3.6) which is a morphism at every point except 
[0, 1, 0], 


F:P? Pp? 
Lx, y, 2] > [x?, xy, 27]. 
Prove that for all constants C, ¢ > 0, there is a point P¢ P?(Q) so that 
H(F(P)) < CH(P)'**. 


In particular, (5.6) becomes false if the map F is merely required to be a rational 
map. 


. Prove the following generalization of (7.2) to arbitrary number fields. 


Let E/K be an elliptic curve given by an equation 
yy=x?+Ax+B 


with A, Be R, and let A = 4A? + 27B?. Let Pe E(K) be a point of exact order 
m > 3, and let ve Mp. 
(a) If m = p" is a prime power, then 


—6r, < ord,(y(P)”) < 6r, + ord,(A), 


| ord,(p) | 
= n n-1 ]° 
Pp —P 


(b) If m = 2p" is twice a prime power, then 


0 < ord,(y(P)”) < 2r, + ord, (A), 


where 


where r, is as in (a). 
(c) If mis not of the form p” or 2p", then 


0 < ord,( y(P)”) < ord,(A). 
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For each of the following elliptic curves, calculate E,,,,(Q). 
a) y>=x3-2 

is i =x?+8 

(c) y>=x? +4 

(d) y?=x?+4x 

(e) y ale xe — x? 

(f) yy=x3 41 

(2) yy>+y=x3—x 4+ 137 

(h) y? + 7xy = x3 + 16x 

(i) y?+xyty=x3—x? — 14x + 29 
(j) y? +xy =x? — 45x + 81 

(k) y? + 43xy — 210y = x3 — 210x? 

() y?=x3—4x 

(m) y? + xy — 5y = x3 — 5x? 

(n) y? + 5xy — 6y = x3 — 3x? 

(o) y? + 17xy — 120y = x? — 60x? 


(a) Let E/K be an elliptic curve and Pe E(K) a point of order at least 4. By an 
appropriate change of coordinates, show that E has an equation of the form 


E:y? + uxy + vy = x? + vx? 


with u, ve K and P = (0, 0). 

(b) Show that there is a one-parameter family of elliptic curves E/K with a K- 
rational point of order 6. [Hint: Set [3]P = [—3]P in (a), and find how u 
and v must be related.] Same question for points of order 7; order 9; order 
12. 

(c) Show that the elliptic curves E/K with a K-rational point of order 11 are 
parameterized by the K-rational points of a certain elliptic curve. 


(a) Generalize (8.2) as follows. Let E/K be an elliptic curve, and let a by any 
integral ideal in the ideal class a,,,. Then there is a Weierstrass equation for 
E with coefficients a;e R and discriminant A satisfying 


(A) = Deja’. 


(b) Suppose that E/K has everywhere good reduction and the class number of 
K is relatively prime to 6. Then E/K has a global minimal Weierstrass 
equation. 

(c) Every elliptic curve E/K has a Weierstrass equation with coefficients a;e R 
and discriminant A satisfying 


INxj@Al < [Disc K/Q|°|NxjqPepxl- 


(Qualitatively, this says that one can find a Weierstrass equation whose non- 
minimality is bounded solely in terms of K. Such an equation might be 
called quasi-minimal.) 

(d) Let b be any ideal class of K. Prove that there is an elliptic curve E/K such 
that gx = b. In particular, if K does not have class number 1, then there 
exist elliptic curves over K which do not have global minimal Weierstrass 
equations. (This gives a converse to (8.3).) 
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Prove that there are no elliptic curves E/Q having everywhere good reduction. 

(Hints: Take a Weierstrass equation with integral coefficients and discriminant 
A= +1. Show a, is odd, so c, = 1(8). Substitute c, = u + 12 into c3 — c2 = 
1728. Show u = 3v and c, = 9w. Then w = ¢? or 327. Rule out the former by 
finding w (mod 8), and the latter by showing that it leads to v and w being 
infinitely 3-divisible. ] 


Show that the conclusion of (9.5) is false if the quadratic form q is not required 
to satisfy the finiteness condition (ii). 


Fix non-zero integers A, B with 443 + 27B? 4 0. For each d #0, let E,/Q be 
the elliptic curve 


Eq: y? =x? + d?Ax + d3B. 


Prove that for all square-free integers d # 0: 

(a) jg is independent of d; 

(b) log |De,ql = 6 log |d| + O(1); 7 

(c) Every Pe E,(Q) satisfies either [2] P = 0 or h(P) > 4 log |d| + O(1). 

(d) For all but finitely many square-free integers d, the torsion subgroup of 
E,(Q) is one of {0}, Z/2Z, or (Z/2Z)?. 

(Here the O(1)’s may depend on A and B, but they should be independent of d. 

This exercise provides a proof of conjecture 9.9 for the family of curves E,.) 

[Hint for (c): If P =(r, s)€ E,(Q), then P’ = (r/d, s/d3)€ E,. Show that h(P) = 

A(P’), that either s = 0 or h,(P’) is greater than 4 log |d|, and that |h — 4h, | is 

bounded.] 


. Let E/K be an elliptic curve given by a Weierstrass equation 


E:y?=x3+Ax+B. 


(a) Prove that there are absolute constants c, and c, such that for all points 
Pe E(K), 


|h,([2]P) — 4h,(P)| < c, h(LA, B, 1]) + ¢2. 


Find explicit values for c, and c,. [Hint: Combine the proofs of (4.2) and 
(5.6), keeping track of the dependence on the constants. In particular, notice 
that the use of the Nullstellensatz in (5.6) can be replaced by the explicit 
identities given in (4.3).] = 

(b) Find absolute constants c, and c, so that for all points Pe E(K), 


[th,(P) — h(P)| < csh(LA, B, 1]) + cq. 


[Hint: Use (a) and the proof of (9.1).] 7 
(c) Prove that for all integers m > 1 and all points P, Q € E(K), 


|h,(Lm] P) — m7h,(P)| < 2(m? + 1) (csh(LA, B, 1]) + ca); 
and 

h,(P + Q) < 2h,(P) + 2h,(Q) + S5(c3h(LA, B, 1]) + ca). 
[Hint: Use (b) and (9.3).] 
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(d) Let Q,, ..., Q, be a set of generators for E(K)/2E(K). Find absolute constants 
C5, Cg, and c; so that the set of points P € E(K) satisfying 


h,(P) < Cs max {h,(Q))} + cg h(LA, B, 1]) + Cy 


contains a complete set of generators for E(K). [Hint: Follow the proof of 
(3.1), using (c) to evaluate the constants that appear. ] 
The L-Series Attached to an Elliptic Curve. Let E/Q be an elliptic curve, and 
choose a global minimal Weierstrass equation 


y? + ayxy + a3 = x3 + a,x? + a,x + dg 


for E/Q (cf.8.3). For each prime p, let A, be the number of points on the reduced 
curve E mod p (remember to include the point at infinity); and let 


tp=1+p—A,. 
The L-Series associated to E/Q is defined by the Euler product 
L,(s)= [] @—t,p°)* [] (@-tpp s+ pi *)™. 
p|A(E) pI} A(E) 


(a) If L,(s) is expanded as a Dirichlet series Xc,n~*, show that its p™ coefficient 
(for p prime) satisfies c, = t,. 

(b) If E has bad reduction at p (so p divides A(E)), prove that t, = 1, —1, or 0 
according as the reduced curve E (mod p) has a node with tangents whose 
slopes are rational over F,, a node with tangents quadratic over F,, or a 
cusp (cf. exer. 3.5). 

(c) Prove that the Euler product for L,(s) converges for all seC with 
Re(s) > 3/2. [Hint: Use (V.1.1).] 

(There are a number of important conjectures concerning the L-series 
attached to elliptic curves. See appendix C §16.) 


CHAPTER IX 


Integral Points on Elliptic Curves 


An elliptic curve may have infinitely many rational points, although the 
Mordell—Weil theorem at least assures us that the group of rational points is 
finitely generated. Another natural Diophantine question is that of determin- 
ing, for a given (affine) Weierstrass equation, which rational points actually 
have integral coordinates. In this chapter we will prove a theorem of Siegel 
which says that there are only finitely many such integral points. Siegel gave 
two proofs of his theorem, which we present in sections 3 and 4. Both proofs 
make use of techniques from the theory of Diophantine approximation, and 
so do not provide an effective procedure for actually finding all of the integral 
points. However, his second method of proof reduces the problem to that of 
solving the so-called “unit equation”, which in turn can be effectively resolved 
using transcendence theory. We will discuss this method, without giving 
proofs, in section 5. 

Unless otherwise specified, the notations and conventions for this chapter 
are the same as those for chapter VIII. In addition, we set the following 
notation: 


A, Hx height functions (see VIII §5) 

n, = [K,: Q,] local degree for v€ Mx (see VIII §5) 

Sc Mx generally a finite set of absolute values containing Mr 
Rs the ring of S-integers of K 


Ry = {x€K: v(x) > 0 for all ve My, v¢S} 
Rt the unit group of Rs. 
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§1. Diophantine Approximation 


The fundamental problem in the subject of Diophantine approximation is 
the question of how closely an irrational number can be approximated by a 
rational number. 


Example 1.1. For every rational number p/q, we know that the quantity 
\(p/q) - e2 | is positive; and since Q is dense in R, an appropriate choice of 
p/q will make it as small as desired. The problem is to make it small without 
taking p and q too large. The next two elementary results illustrate this idea. 


Proposition 1.2 (Dirichlet). Let «eR with a¢ Q. Then there are infinitely many 
p/qeQ such that 


ProorF. Let Q be a large integer, and look at the set 
{qa = [qa] :q = 0, 1, areroks: Q}. 


(Here [ ] means greatest integer.) Since « is irrational, this set consists of 
Q + 1 distinct numbers in the interval between 0 and 1; so by the pigeon-hole 
principle there are integers 0 < q, < q2 < Q satisfying 


(q1% — [41%]) — (42% — [a2%])] < 1/2. 


Hence 
[42%] -[40] Z 1 Z 1 7 
92-41 (q2—-41)2 (42 — 41) 
This provides one rational approximation to « with the desired property, and 
by increasing Q one can clearly obtain infinitely many. oO 


Remark 1.2.1. A result of Hurwitz says that the 1/q? in (1.2) can be replaced 
by 1/,/5q?, and that this is best possible. (See, e.g., JH—-W, thm. 195].) 


Proposition 1.3 (Liouville [Liou]). Let «¢Q be of degree d > 2 over Q (ie. 
[Q(«):Q] =d). There is a constant C > 0, depending on a, so that for all 
rational numbers p/q, 


ProoF. Let 
f(T) = a)T4 + 7 Uae a: Sia a,éZ[T] 
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be the minimal polynomial for a. Let 
C, =sup{f(j):a-1<t<a+ I}. 
Suppose now that 


P 
—-—4 


q 
Then from the mean value theorem, 


(0-0) 


On the other hand, q“f(p/q)¢Z; and f(p/q) 4 0 since f can have no rational 


roots. Hence 
p 
q’f (2) 
q 


Combining the last two inequalities gives 


<i. 


<C, Laer 
q 


21. 


p 
——@ > ani 
q q° 
which holds for all p/q if we take C = min{1/C,, 1}. Oo 


Remark 1.3.1. Liouville used his theorem to prove the existence of transcen- 
dental numbers. (See exer. 9.2.) Note that it is quite easy to find the constant 
C in Liouville’s theorem explicitly in terms of «. This is in marked contrast to 
the results which we will consider below. 


Proposition (1.2) says that every real number can be approximated by 
rational numbers to within 1/q?, while proposition (1.3) says that an algebraic 
number of degree d can be approximated no closer than C/q‘. For quadratic 
irrationalities, there is little more to say; but if d > 3, then one naturally asks 
what the best exponent is. There is also no particular reason to restrict the 
approximating values to Q; it is useful to allow them to range over any fixed 
number field K. Finally, in measuring how close the approximation is, any 
absolute value should do. 


Definition. Let t(d) be a positive real-valued function on the natural num- 
bers. A number field K is said to have approximation exponent 1 if the 
following condition holds: 


Let we K, d = [K(«): K], and ve Mg an absolute value on K extended 
in some fashion to K(«). Then for any constant C, there exist only 
finitely many xe K satisfying the inequality 


Ix — al, < CHy(x)®. 


244 IX. Integral Points on Elliptic Curves 


Thus the elementary estimate of Liouville’s theorem (1.3) says that @ has 
approximation exponent t(d) = d+ for any ¢>0. This result has been 
successively improved by a number of mathematicians. We give a short list. 


Liouville 1851 t(dd)=d+e 
Thue 1909 «(d)=4d+1+e 
Siegel 1921 r(d)=2,/d +e 
Gelfond, Dyson 1947 1t(d)=./2d +8 
Roth 1955 t(d)=2+.e. 


In view of (1.2), Roth’s result is essentially best possible, although it is not 
unlikely that the ¢ can be replaced by some function ¢(d) such that e(d) > 0 as 
d— oo. We should also mention that Mahler showed how to handle several 
absolute values at once, and W. Schmidt ({[Schm 2, Ch. VI]) dealt with the 
more difficult problem of simultaneously approximating several irrationals. 

The main ideas which go into the proof of Roth’s theorem are quite 
beautiful; and, at least in theory, relatively elementary. Unfortunately, to 
develop those ideas fully would take us rather far afield. Hence rather than 
include the complete proof, we will be content to state here the result that we 
will be using. Then, in section 8, we will briefly sketch the proof of Roth’s 
theorem without actually giving any of the myriad details. 


Theorem 1.4 (Roth’s Theorem). For every ¢ > 0, every number field K has 
approximation exponent 


t(d)=2+ 6. 


ProoF. See §8 for a brief sketch. A nice exposition for K = Q and the usual 
(archimedean) absolute value is given in [Schm 2, Ch. V]; the general case is 
in [La 7, Ch. 7]. oO 


Example 1.5. How do theorems on Diophantine approximation lead to 
results concerning Diophantine equations? Consider the simple example of 
solving the equation 


3 


x3—2y=a 


in integers x, yeZ, where aeZ is fixed. Suppose (x, y) is a solution with 
y #0. Let ¢ be a primitive cube root of unity, and factor the equation as 


ae x x a 
—— 2/2 *_¢33)(£-ey2)= 5. 
(; ) (; wv y V2 y°? 

The second and third terms in the product are bounded away from 0, so we 
obtain an estimate 


«3 <5 
y yl 
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for some constant C independent of x and y. Now from (1.4), or even Thue’s 
original theorem with t(d) = 3d + 1 + &, we see that there are only finitely 
many possibilities for x and y. Hence the equation 


x3 —2y3 =a 


has only finitely many solutions in integers. This type of argument will 
reappear in the proof of (4.1). (See also exer. 9.6.) 


Remark 1.6. The statement of (1.4) says that there exist only finitely many 
elements of K with a certain property. This phrasing is especially felicitous, 
because the proof of (1.4) is not effective. In other words, there is no effective 
procedure which is guaranteed to produce all of the elements in this finite set. 
(See (8.1) for a discussion of why this is so.) We note that as a consequence, all 
of the finiteness results which we will prove in sections 2 and 3 are ineffective, 
since they rely on (1.4). (Similarly, in (1.5), the proof yields no explicit bound 
for |x| and |y| in terms of a.) However, there are other methods, based on 
estimates for linear forms in logarithms, which are effective. We will discuss 
these, without proof, in section 5. 


§2. Distance Functions 


A Diophantine inequality such as 
|x — al, < CHx(x)"™@ 


consists of two pieces. First, there is the height function Hx(x), which is an 
arithmetic measure of the size of x. We have already studied height functions 
and their transformation properties in some detail (VIII §5, 6). Second, there 
is the quantity |x — «|,, which is a topological measure of the distance from x 
to a (ie. in the v-adic topology). In this section we will define a notion of 
v-adic distance on curves, deduce some of its basic properties, and reinterpret 
the Diophantine approximation result from section 1 in terms of this 
distance. 


Definition. Let C/K be a curve and P, Qe C(K,). Let tg¢ K,(C) be a function 
with a zero of order e > 1 at Q. The (v-adic) distance from P to Q, denoted 
d,(P, Q), is given by 

d,(P, Q) = min {|tg(P)Io”, 1}. 


(Of course, if P is a pole of tg, then |tg(P)|, = 0, so we naturally set 


d,(P, Q) = 1,) 


Remark 2.1. Clearly the distance function d, has the right qualitative pro- 
perty; d,(P, Q) is small if P is v-adically close to Q. On the other hand, it 
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certainly depends on the choice of tg, so possibly a better notation would be 
d,(P, tg). However, since we will only use d, to measure the rate at which two 
points approach one another, the following result will show that all of our 
theorems make sense. 


Proposition 2.2. Let Q¢C(K,), and let tg and tg be functions vanishing at Q. 
Then with the notation of (2.1), 
.. log d,(P, to) _ 1 
Pecik,) log d,(P, tg) i 
P-Q 


(Here PQ means PeC(K,) approaches Q in the v-adic topology; i.e., 
d,(P, tg) > 0.) 


Proor. Let tg and tg have zeros of order e and e’ respectively at Q. Then the 
function ¢ = (tg)*/(tg)* has neither a zero nor a pole at Q. Hence |¢(P)|, is 
bounded away from 0 and o as P>Q;soas P>Q, 


log d,(P, t) _ , , log |p(P)ls" 

log d,(P, tg) ~ log d,(P, tg) 

Next we examine the effect of finite maps on the distance between points. 

The crucial observation is that it depends on the ramification of the map, 
rather than on its degree (compare (2.3) with (VIII.5.6)). 


Proposition 2.3. Let C,, C,/K be curves and f :C, > C, a finite map defined 
over K. Let Q€C,(K,), and let e,(Q) be the ramification index of f at Q (cf. II 
§2). Then 


log di(f(P) £0) _ 
recut log d,(P,Q) 2) 


Proor. Let tg€K,(C,) and tpg,€K,(C,) be uniformizers at the indicated 
points. By definition of ramification index, we can write 


trqof = td, 


where ¢é€ K,(C,) has neither a zero nor a pole at Q. It follows that |¢(P)|, is 
bounded away from 0 and oo as P > Q. Therefore 


log d.(f(P), FQ) _ log Itpa( SP). 


log d,(P, Q) log Ito(P)|. 
log |to(P)|. 
— e,(Q) as PQ. oO 


Finally, we reinterpret (1.4) in terms of distance functions. 
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Corollary 2.4 (of 1.4). Let C/K be a curve, f € K(C) a non-constant function, 
and Qe C(K). Then 
_. - log d,(P, Q) 
Lim inf ————__—- > —2. 
pec(k) log Ax(f(P)) 
P>Q 
(Here P > Q means that P approaches Q in the v-adic topology. We obviously 


do not allow P = Q. If Q is not a (v-adic) accumulation point of C(K), then we 
define the Lim inf to be 0.) 


Proor. Replacing f by 1/f if necessary, we may assume that f(Q) # oo. (Note 
that H,((1/f)(P)) = Hx(f(P)).) Then from the definition of d,, we may take 


d,(P, Q) = min{|f(P) — f(Q)|e", 1}, 
where e > 1 is the order of vanishing of the function f — f(Q) at 0. Hence 
_.. , logd,(P,Q) _,. . ,log|f(P) — f(Q)|, 
nd log Hx(S(P)) “rage log Ha(S(P)) 
er fenectiion = f(D) _ +. 


 @ pag log Hx(f(P)) 


Now if we take 
tT=2+6, 
then (1.4) implies that 
Ax(f(PIF(P) — (Dio > 1 
for all but finitely many P ¢ C(K). Therefore 
. , , log d,(P, Q) t 2+6 
vey log He(f(P) ee 


Since ¢ > 0 is arbitrary, and e > 1, this gives the desired result. oO 


§3. Siegel’s Theorem 


In this section we will prove the following theorem of Siegel, which represents 
a significant improvement on the Diophantine approximation result (2.4). 


Theorem 3.1 (Siegel). Let E/K be an elliptic curve with #E(K) = 00, f € K(E) 
a non-constant even function, ve Mx, and Qe E(K). Then 


peR(K) —‘A(P) 


hy(P)> 00 
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Remark 3.1.1. Although we will only prove (3.1) for even functions, it is in fact 
true in general. (See exer. 9.14d.) 


Before giving the proof of (3.1), let us give some indication of just how 
strong a theorem it is. 


Corollary 3.2.1. Let E/K be an elliptic curve with Weierstrass coordinate func- 
tions x and y, let S < Mx be a finite set of places containing MR, and let Rs be 
the ring of S-integers of K. Then 


{Pe E(K):x(P)eRs} 


is a finite set. 


Proor. We apply (3.1) with the function f = x. Thus suppose that P,, P,,---€ 
E(K) is a sequence of distinct points with x(P,)eé Rs. From the definition of 
the height it follows that 


1 eis 
h,(P;) = [K-02 log max {1, |x(P;)|0"}s 


since for the terms with v¢S, we have |x(P;)|, < 1. Hence by choosing a 
subsequence of the P,’s, we may assume that 
h(P;) < #S-log|x(P)|, _—_—for alli, 


where veS is a fixed absolute value. (Note that n, < [K : Q].) In particular, 
|x(P;)|, 00. Since the only pole of x is at O, it follows that d,(P,, 0) > 0. 

Now since x has a pole of order 2 at O, we can take as our distance 
function 

d,(P;, 0) = min {|x(P,)|, "7, 1}. 
Then for all sufficiently large i, we have 
—log d,(P;, O) > 1 
h(P) ~ 2#S 

But this contradicts (3.1), which says that the left-hand side must approach 0 
asi oo. Oo 


Clearly the proof of (3.2.1) can be applied to any even function, not just x, 
since (3.1) is given for all even functions. However, one can actually reduce 
the case of arbitrary (not necessarily even) functions to the special case given 
by (3.2.1). This reduction step is also important in its own right, since it is 
used both in Siegel’s second proof of finiteness (4.3.1) and with the effective 
methods provided by linear forms in logarithms (5.7). 


Corollary 3.2.2. Let C/K be a curve of genus 1, and let f € K(C) be a non- 
constant function. Let S and Rg be as in (3.2.1). Then 
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{PeC(K): f(P)eRs} 
is a finite set. Further, (3.2.2) follows formally from (3.2.1). 


Proor. We are clearly proving something stronger if we extend the field K 
and enlarge the set S. We may thus assume that C(K) contains a pole Q of /f. 
Then (C, Q) is an elliptic curve over K; let x and y be coordinates on a 
Weierstrass equation for (C, Q), which we may take in the form 


y>=x>+Ax+B. 
Now fe K(C) = K(x, y) and [K(x, y): K(x)] = 2, so we can write 
(x) + Wx)y 
n(x) 


with polynomials ¢(x), w(x), 4(x)€K[x]. Further, since ordg(x) = —2, 
ordg(y) = —3, and ordg(f) < 0, it follows that 


2 deg n < max {2 deg ¢, 2 deg w + 3}. 


f(x, y) = 


(Le. This is the condition for f to have a pole at Q.) Next we compute 


(f(x) — 6())? = Wey)? = W(x)?(x? + Ax + B). 


Writing this out as a polynomial in x with coefficients in K[ f], we see that 
the highest power of x will come from one of the terms f?n(x)*, ¢(x)?, or 
W(x)?x>. From above, the first of these has lower degree (in x) than the latter 
two, while the leading terms of (x)? and W(x)?x? cannot cancel, since they 
have different degrees. It follows that x satisfies a monic polynomial over 
K[f]. (Le. x is integral over K[f].) Multiplying this polynomial by an 
appropriate element of K to “clear denominators”, we have shown that x 
satisfies a relation 


Ayx™ + a,(f)xN~! ++++ + ay_s(f)x + an(f) = 9, 


where a) €R, and a,(f)¢Rs[f] for 1 <i< N. Enlarging the set S, we may 
further assume that a) € Ré. 

Now suppose that Pe C(K) satisfies f(P)€ Rs. Then P is not a pole of x, 
and the relation 


Ayx(P)" + ay( f(P))x(P)Y! +++ + ay—s(f(P))x(P) + ay(F(P)) = 0 


shows that x(P)is integral over Rs. Since also x(P)e K, and Rg is integrally 
closed in K, it follows that x(P)¢ Ry. This proves that 


{PeC(K): f(P)e Rs} < {PEC(K): x(P)eRs}; 


and so the finiteness assertion of (3.2.2) follows from the finiteness result given 
in (3.2.1). O 


Example 3.3. Consider the Diophantine equation 


y2=x3+Ax+B, 
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where A, BeZ and 4A? + 27B? 40. The above corollary (3.2.1) says that 
there are only finitely many solutions with x, ye Z. What does (3.1) say in this 
situation, say if we take Q = O, f = x, and v the archimedean absolute value 
on Q? 

Label the non-zero rational points P,, P,, ... in order of non-decreasing 
height, and write 


x(P;) = a,/b,eQ 
as a fraction in lowest terms. Then 
log d,(P,, 0) = } log min {|b;/a;|, 1} 
and 
h,(P;) = log max {|qj|, |bj|}- 


(Note that the 1/2 appears because 1/x has a zero of order 2 at 0.) Now (3.1) 
implies that 


min {log |b;/a;|, 0} _ 
iv Max {log |a;|,log|b;|} 
Similarly, letting Q be a point with x(Q) = 0, we have 
log d,(P,, Q) = log min {|a,/bj|, 1} 
(with a factor of 1/2 if B = 0); so again from (3.1) we obtain 
ie min {log |a;/b;|, 0} _ é 
i+ max {log |a;|, log |b;|} 
Now from these two limits, it is an easy matter to deduce that 


1 : 
mn OB lal _ 


In other words, when looking at the x-coordinates of the rational points on 
an elliptic curve, the numerators and the denominators tend to have about 
the same number of digits. This is clearly much stronger than the assertion of 
(3.2), which merely says that there are only finitely many points where the 
denominator is 1. 


Remark 3.4. Although Siegel’s theorem (3.2) is not effective, which means that 
it does not yield an explicitly computable upper bound for the height of all 
integral points, it can be made quantitative in the following sense (see, e.g., 
[Ev-S]): 


For a given non-singular Weierstrass equation, there is a constant N, which can 
be explicitly calculated in terms of the field K and the coefficients of the equa- 
tion, such that the equation has no more than N integral solutions. 


A subtler Diophantine problem, conjectured by Serge Lang, is to give an 
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intrinsic relationship between the number of integral points and the rank of 
the Mordell—Weil group. 


Conjecture 3.5 ([La 5, p. 140]). Let E/K be an elliptic curve, and choose a 
quasi-minimal Weierstrass equation for E/K, 


E:y?=x3?+Ax+B 


(cf. exer. 8.14c). Let S < Mx be a finite set of places containing Mx, and let Rs 
be the ring of S-integers in K. There exists a constant C, depending only on 
K, such that 

#{PeE(K):x(P)eRs} < C#Strank EO), 


This conjecture is known to be true if one restricts attention to elliptic curves 
with integral j-invariant; and more generally, it holds for a constant C de- 
pending on both K and the number of primes of K for which j(E) is not 
integral. (See [Sil 7].) 


We now turn to the proof of (3.1). In broad outline, the argument goes as 
follows. From the theorem on Diophantine approximation (2.4) we have a 
bound, in terms of the height of P, on how fast P can approach Q. Suppose 
now that we write P = [m]P’ + R and Q = [m]Q’ + R. Then the distance 
from P’ to Q’ is about the same as the distance from P to Q (using (2.3), since 
the map P > [m]P + R is unramified); while the height of P’ is much smaller 
than the height of P. Now applying (2.4) to P’ and Q’, we will obtain a better 
estimate; and taking m large enough gives the desired result. 


ProorF oF (3.1). Choose a sequence of distinct points P,€ E(K) so that 


log d,(P,, _. Jog d,(P, 

Lim log 4,(Fi, Q) =L= Lim inf -2 2" © of Q) 

ae h,(P;) PcE(K) h,(P) 
hy(P)> 10 


Since d,(P, Q) < 1 and h,(P) > 0 for all points Pe E(K), we have L <0. It 
thus suffices to prove that L > 0. 

Let m be a large integer. From the (weak) Mordell—Weil theorem (VIII. 
1.1), the group E(K)/mE(K) is finite. Hence some coset contains infinitely 
many points of the sequence P;. Choosing a subsequence, which we again 
denote P,, we can write 


P,=[m]P/ + R, 


where P’, Re E(K) and R does not depend on i. Using the standard pro- 
perties of height functions, we compute 


m?h,(P!) = hy([m] P;) + O(1) (VIII. 6.4b) 
= h,(P, — R) + O() 
< 2h,(P;) + O(1) (VIII. 6.4a), 
where the O(1) is independent of i. 
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Next we do an analogous computation with distance functions. If P, is 
bounded away from Q (in the v-adic topology), then log d,(P,, Q) is bounded, 
so clearly L = 0. Otherwise, we can choose a subsequence so that P; > Q. 
Then [m] P/ > Q — R, so the sequence P/ must have one of the m? possible 
m'*-roots of Q — R as an accumulation point. Thus by again taking a subse- 
quence, we can find a Q’ € E(K) so that 


Pi+Q' and Q=[m]Q'+R. 


Note that the map E > E defined by P > [m]P + R is everywhere unrami- 
fied (III. 4.10c). This lets us use (2.3) to compute 


i log d,(P;, Q) = 

i> log d(P:, 0’) 
Combining this with the height inequality from above yields the following. 
(Note that the log d, expressions are negative, which reverses the inequality.) 


log d,(Pi, Q) 5 log d,(Fi, Q’) 


i an cates Im?h,(P) + O(1) 


i-o (PP) ) 
Now we apply the theorem on Diophantine approximation (2.4) to the 
sequence P; € E(K), which v-adically converges to Q’ € E(K). This yields 


log dy(Pi, 2) 
[K : Q]h,(P) 


(Note that the [K : Q] factor, which in any case is not important, arises 
because h, is the absolute height, while (2.4) is stated using the relative height 
Hx.) Using this result in the above inequality for L, we obtain 

4[K:Q] 


m2 


a —2. 


But K is fixed, while the choice of m was arbitrary. Therefore L > 0, which is 
the desired conclusion. oO 


§4. The S-Unit Equation 


The proof of Siegel’s theorem given in the last section is a special case of 
Siegel’s general result that there are only finitely many S-integral points on 
any curve of genus at least 1. (See [La 7, ch. 8, thm. 2.4].) Siegel also gave a 
second proof, which applies only to a more restricted set of curves. However, 
the set of curves treated does include all elliptic curves. Further, the method is 
important, because when combined with results on linear forms in logarithms 
(see section 5), it leads to an effective procedure for finding all S-integral 
points. For this reason, we will now present Siegel’s alternative proof. 

The idea of the proof is to reduce the problem of solving for S-integral 
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points on a curve to the problem of solving several equations of the form 
ax + by=1 


in S-units. We start by giving a quick sketch of how the solution of this S-unit 
equation can be reduced to the Diophantine approximation theorem (1.4). It is 
this ineffective step which can be replaced by the effective results in section 5. 


Theorem 4.1. Let S < M, be a finite set of places, and let a, be K*. Then the 
equation 

ax + by=1 
has only a finite number of solutions in S-units x, ye R&. 
INEFFECTIVE PRoor (SKETCH). Let m be a large integer. By Dirichlet’s S-unit 
theorem ([La 2, V §1]), the group R*¥/(R¥)" is finite; let c,,...,c,E R¥ be coset 
representatives. Then any solution (x, y) to the original equation can be 


written as 
x=c,X", y=c,Y™ 


for some X, Ye R¥ and some choice of c;, c;. Thus (X, Y) is a solution to the 
equation 


ac,;X™ + bc;Y™ = 1. 


Since there are only finitely many choices for c;, c;, it certainly suffices to 
prove that for any a, Be K*, the equation 


aX™ + BY" =1 


has only finitely many solutions with X, Ye Rs. 
Suppose that there were infinitely many such solutions. Then, since 


A,(Y) = [] maxi, Banas 
we can find some veS so that for infinitely many of the solutions, 
[Y|p > He(Y EOFS. 
(Note that n, < [K: Q].) Let 
y" = —B/a. 


We will specify below which m' root to take. The idea is that if m is large 
enough, then X/Y provides too close an approximation to y. 
We can factor our equation as 


»¢ 1 
I] Y aa cy a m* 
CEBn ay 
Since there are supposed to be infinitely many solutions, we may assume 
Hx(Y) is very large; and so | Y|, will also be large. Then from the equality 
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1 
I] Baty 


cetim| Y Ree faa 


we see that X/Y must be close to one of the Cy’s; so replacing y by one of its 
conjugates, we may assume that |X/Y — y|, is quite small. But then for ¢ ¥ 1, 
|X/Y — Cy|, cannot be too small, since 


|X/Y¥ — Cyl, > ly — O)le — [X/¥ — yo 
Hence we can find a constant C, > 0, independent of X/Y, so that 
X/Y¥ — yl, < C,| YI,” 
(See exer. 9.5.) Finally, from the expression 
a(X/Y)" = (1/Y)" — B, 


one easily deduces that 
H,(X/Y) < C,H,(Y), 


where C, depends only on a, f, and m. Now combining all of the above 
estimates, we find 


[X/Y — yl, < CHg(X/Y) 1K MAS, 


But if we take any m > 2[K : Q]#S, then Roth’s theorem (1.4) says that there 
are only finitely many possibilities for X/Y. Further, since 


Y" =(0(X/Y)" +B)! and X=(X/Y)Y, 


each ratio X/Y corresponds to at most m possible pairs (X, Y). This con- 
tradicts our initial assumption that there are infinitely many solutions, and so 
completes the proof of (4.1). oO 


Remark 4.2.1. Notice the great similarity in the method of proof for Siegel’s 
theorem (3.1) and the S-unit equation (4.1). In both cases one starts with a 
point in a finitely generated group (P € E(K) for the former, (x, y)e R¥ x R¥ 
for the latter). Next one uses the “multiplication-by-m” map to produce a new 
point whose height is much smaller, but which is a close approximation to 
another point defined over some finite extension of K. Finally one invokes a 
theorem on Diophantine approximation, such as (1.4), to complete the proof. 


Remark 4.2.2. The proof of (4.1) given above is ineffective, since it makes use 
of Roth’s theorem (1.4). But just as for Siegel’s theorem, it is possible to make 
(4.1) quantitative; that is, to give an upper bound for the number of solutions. 
A priori, one would expect such a bound to depend on both the field K and 
the set of primes S. In fact, it is possible to prove the following analogue for 
the S-unit equation of Lang’s conjecture (3.5) for elliptic curves. The proof, 
which we do not include, is fairly intricate. 


Theorem 4.2.3 (Evertse [Ev]). Let S < Mx be a finite set of places containing 
MR, and let a, be K*. Then the equation 
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ax + by=1 


has at most 3 x 7‘ 9+2#S solutions in S-units x, y€ Ré. 


To see most clearly the analogy with (3.5), note that Ré is a finitely generated 
group of rank #S — 1. Thus the bound in conjecture (3.5) takes the form 
Crank (R3)+rank (E(K)+1_ while the bound in (4.2.3) can be written as C'@™* (3)+1, 
We now give Siegel’s reduction of S-integral points on hyperelliptic curves 
to solutions of the S-unit equation. Although we will not do so, the reader 
should note that every step in this reduction process can be made effective. 


Theorem 4.3 (Siegel). Let f(x)¢K[x] be a polynomial of degree d > 3 with 
distinct roots (in K). Then the equation 
y’ = f(x) 


has only finitely many solutions in S-integers x, y € Rs. 


Proor. Clearly we are proving something stronger if we take a finite exten- 
sion of K and enlarge the set S. Thus we may assume that f splits over K, say 


F(x) = a(x — a4)...(% — Oa) 
with «,;¢ K; and then make S sufficiently large so as to satisfy the following: 
(i) ae RS; 
(ii) «; — ae R¥ for all i #j; 
(iii) Rs is a principal ideal domain. 

Now suppose that x, ye Rs satisfy y? = f(x). Let p be a prime ideal of Rs. 
Then p can divide at most one x — «,, since if it divides both x — a, and 
x — a, then it divides «; — a, contradicting assumption (ii). Further, from (i), 
p does not divide a. It follows from the equation 

y? = a(x — 0)...(x — a) 


that ord,(x — a;) is even, and so the ideal (x — «;)Rs is the square of an ideal 
in Rs. But from (iii), Rs is a principal ideal domain. Hence there are elements 
z,;€ Rs and units b;€ R¥ so that 

x—- a; = be? . 


Now let L/K be the extension of K obtained by adjoining to K the square 
root of every element of R$. Note that L/K is a finite extension, since 
R¥/(R%)? is finite from Dirichlet’s S-unit theorem. Further let T < M, be the 
set of places of L lying over elements of S, and let Ry be the ring of T-integers 
in L. Now each 5; is a square in Ry, say b; = 87, so 

x — a; = (,z,)". 


Taking the difference of any two of these equations yields 


a; — 0; = (B,z; — Biz;)(Bi2; + Bj2;). 
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Note that «; — a;€ R}, while each of the two factors on the right is in Rz. It 
follows that each of these factors is a unit, 


Bz;+B2z;€Rt foralliF¥j. 
Now we use Siegel’s identity: 

ByZ, + B.22 _ Baz. + B3z3 4 

B,Z, — B323 By 2, — B323 


This is a sum of two elements of R¥ totaling 1, hence from (4.1) there are only 
finitely many choices for 


By, 21 + Boz. By 2, — B22 
«6 a SSS 
B,2, — B323 By, 2, — B32Z3 


Multiplying these two numbers, there are only finitely many possibilities for 


a — Oy 
(B121 — B323)”’ 
hence only finitely many for 
Biz, — B3Z3, 
and so only finitely many for 
1 3 — Oy | 
Z=- Z, — B3z3) + ————— |. 
fir =5| Bier — ay) +p 


But 
x =a, + (B,24)’, 


so there are only finitely many possible values of x; and then for each x, at 
most two y’s. | 


Corollary 4.3.1. Let C/K be a curve of genus 1, and let f € K(C) be a non- 
constant function. Then there are only finitely many points P € C(K) such that 
S(PyeRs. 


Proor. Using the reduction procedure given in (3.2.2), it suffices to consider 
the case that f is the x-coordinate on a Weierstrass equation. But that case 
is covered by (4.3). O 


§5. Effective Methods 


In 1949, Gelfond and Schneider independently solved Hilbert’s problem con- 


cerning the transcendence of v2. They actually proved the following strong 
transcendence criterion. 
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Theorem 5.1 (Gelfond, Schneider). Let «, Be Q with « 4 0, 1 and B¢Q. Then 
a is transcendental. 


Gelfond rephrased his result in terms of logarithms. If «,, «,¢Q* and if 
log a, and log a, are linearly independent over Q, then they are linearly 
independent over Q. He further showed that one could give an explicit lower 
bound for |, log a, + B, log «,| whenever this quantity is non-zero, and 
noted that many Diophantine problems could be solved if one knew an 
analogous result for sums of arbitrarily many logarithms. Such a theorem 
was proven by A. Baker in 1966. The proof is quite involved, so we will be 
content to just quote the following version. 


Theorem 5.2 (Baker). Let «,,...,4,€K* and B,,..., B,€K. For any constant 
K, define 


T(K) = T(K; 01, -.65 qs B,, --+> By) = A(LA, By, ---> B,)A(CA, bys --+5 al). 


(N.B. These are logarithmic height functions.) Fix an embedding K < C, and 
let |-| be the corresponding absolute value. Assume that 


B, loga, +--+ B, log a, 40. 


Then there are effectively computable constants C, xk > 0, depending only onn 
and [K : Q], such that 


|B, log a, +°*: + B, log a,| > C7™. 
Proor. See [Ba] or [La 5, VIII, Thm. 1.1]. oO 


Remark 5.2.1. We have restricted ourselves in (5.2) to the case of an archi- 
medean absolute value. There are analogous results in the non-archimedean 
case, although minor technical difficulties arise due to the fact that the p-adic 
logarithm is only defined in a neighborhood of 1. See (5.6) below for a further 
discussion. 


It is not immediately clear how Baker’s theorem (5.2) can be applied to give 
a bound for the solutions to the S-unit equation. We start with the following 
elementary lemma. (See also exer. 9.8.) 


Lemma 5.3. Let V be a finite dimensional vector space over R. Given any 
basis e = {e;,...,@,} for V, let ||: ||. be the sup norm with respect to e. (Le. 
|x\le = |/Zx;,e;|| = max {|x;|}.) Suppose that f = {f,,...,f,} is another basis. 
Then there are constants c,,C, > 0, depending on e and f, so that for all xe V, 


C1 [IX lle < x lle < Call lle. 


Proor. Let A = (a,;) be the change of basis matrix from e to f, so e = 
La, f;; and let ||A|| = max{|a,|}. Then for any x = Xx,e,eV, we have 
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x= UXx;e; — 2X4; ip so 


> Xi 
t 


This gives one inequality, and the other follows by symmetry. O 


} <n max {|aj|} max {|x;|} = n||Al| [lle- 
uJ i 


[y= max} 
J 


We apply (5.3) to the following situation. Let S < Mx be a finite set of 
places containing Mf, let s = #S, and choose a basis a,,..., #,-, for the free 
part of R¥. Then every ae R¥ can be written uniquely as 


ow = Corlt... ogtsst 
for integers m,,...,m,_, and a root of unity ¢. Define the size of « (relative to 
{1, 28,219) as-1}) by 
m(a) = max {|m;,|}. 
Lemma 5.4. With notation as above, there are constants c,, Cc, > 0, depending 
only on K and S, such that for every ae Rk, 


c, h(a) < m(a) < cz,h(a). 
Proor. Let S = {v,,..., v,}, and let n; = n,, be the local degree corresponding 
to v;. Consider the S-regulator homomorphism 
ps: RS —> R® 
a> (n,v,(a), siete 9 n,v,(a)). 


Notice that the image of ps lies in the hyperplane H = {x, + +--+ x, = 0}; 
and by Dirichlet’s S-unit theorem, it actually spans H. Let ||-||, be the sup 
norm on R¥ relative to the standard basis, and let ||- ||, be the sup norm 
relative to the basis {ps(a,), ..., Ps(%s—1), (1, 1,..., 1)}. (Le. {ps(«;)} spans H, 
and we have added one extra vector in order to span all of R*.) From (5.3), 
there are constants c,, c, > 0 such that 


ey(Ixli <(xll,<e2ixll, forall xeR®. 


Now let ae R¥, and write p(a) = Lm;ps(a;). Then directly from the defi- 
nitions, we have 


|| Ps(#) l2 = max {|m,|} = m(a), 

Il Ps(@) Il, = max {njv,(a)|}, 
and 

h(a) = ¥ max{0, —n,v,(a)}. 


(Note that the sum for hx(a) need only run over the absolute values in S, since 
v(a) = 0 for all v¢éS.) We must now find a way to compare || p.(«)||, with 
hy (a). 
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More generally, for any x = (x,,..., x,)€ H, we can compare ||x||, with 
h(x) = X max{0, —x,}. First, since max{0, —x,;} <|x;|, we have the obvious 
estimate 


h(x) < sll. 
On the other hand, if we sum the identity 
x; = max{0, x;} — max{0, —x;} 
for 1 <i<-s and use the fact that xe H (i.e. Xx; = 0), we obtain 
0 = h(—x) — h(x); andso h(x) = h(—x). 
Therefore 
2h(x) = h(x) + h(—x) 

= ) (max {0, —x;,} + max {0, x;}) 

= PIs 

2 max {|x;|} 

= ||xlh- 


Thus $|| x ||, < A(x) < s||x||,; and combining this with the above results gives 
an estimate of the desired form, 


(C1/s)hx(a) < m(a) < 2c, hx(a). oO 


We are now ready to show how the solution of the S-unit equation can be 
reduced to the problem of bounds for linear forms in logarithms. 


Theorem 5.5. Fix a, be K*. There exists an effectively computable constant 
C = C(K, S, a, b) such that any solution (a, B)eé R€ x R¥ to the S-unit equation 


aa+ bp =1 
satisfies H(a) < C. 


Proor. Let («, 8) be a solution, and choose the absolute value v in S for which 
|a|, is largest. Then, since |a|,, = 1 for all w¢éS, we have 


Jali > [] max{1, lolier} = Hx(o); 
weS 
and hence 


la], > H(a)"*. 


(Here, as usual, s = #58.) 
To simplify our discussion, we will now assume that v is archimedean. 
(This will certainly be true, for example, if S = Mf. For arbitrary S, see the 
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discussion in (5.6) below.) The mean value theorem applied to the function 
log x yields 


log x — log 4 o 1 
x—y ~ min{{x|, [yl} 
We use this with x = aa, y = —bf, x — y = 1, and obtain 
|log aa — log bB| < min{|aa|, |ax — 1|}~* 
< 2(lalH(a)")"*. 


(For the last line, we have assumed that |a| > 2/|a|, since otherwise we have 
the excellent bound H(a) < |a|* < (2/a|)*.) 
Now let a,,...,a,-, be a basis for R¥ as above, and write 


Ms-1 


o= Car aa and ‘p= Carag 


ms-1 
s-1° 


Substituting this into the above inequality yields 
[d)(m; — m;) log «; + log(at/bt’)| < cy H(a)""*, 


where here and in what follows, the constants c,, c,,... are effectively com- 
putable and depend only on K, S, a, and b. 
From the equality aa + bf = 1, one easily obtains an estimate 


|h(a) — A(B)| < ¢2; 
and now applying (5.4) yields 
c3m(a) < m(B) < cym(a). 
(Since we may clearly assume that m(«), m(f) > 1.) In particular, 
|m; — m;| < m(a) + m(B) < csh(a). 
Letting q; = m; — m; and y = a¢/bC’, we now have an inequality 
Iq: log a, +°** + q,-1 log a, + log y| < cy H(a)** 


with a,,..., 4-1, y fixed and q,,..., q,-, integers satisfying |q;| < c5h(«). 
Now use Baker’s theorem (5.2). This gives a lower bound of the form 


lq, loga, +--+ + q,-; log a,_, + log y| > cg", 
where 
t= ALA, di... +5 Isr ALA, O41, 5 M15 YI) 
and x is a constant depending only on K and s. But from above, 
A(CL, 91, +++) ¥s-1]) = log max {1, |4y1,..-, 14.11} < log(cs h(a). 


Combining the upper and lower bounds for the linear form in logarithms and 
using this estimate yields 
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Cz loatesh(a) <c,H(a)~ 1s" 


(Note that the basis «,,..., %,.,; depends only on the field K and the set S, so 
it is alright to absorb the h([1, a, ..., &1, y])* exponent into the c,.) Nowa 
little bit of algebra gives 


H(a) < cgh(a)®; 
and since h(a) = log H(a), this implies the desired bound for H(q). Oo 


Remark 5.6. In order to make the argument given in (5.5) apply to a non- 
archimedean absolute value, it is necessary to make some minor technical 
alterations. The main difficulty is that the logarithm function in the p-adic 
case only converges in a neighborhood of 1. What one does is to take a sub- 
group of finite index in R¥ which is generated by S-units which are p-adically 
close to 1, together with a uniformizer for p. Then, assuming that |q|, is 
sufficiently large, one shows that aa/bf is p-adically close to 1. Now applying 
the above argument to some power of aa/bf will give a well-defined linear 
form in p-adic logarithms, and from then on the argument goes just the same. 
For the final step, of course, one must use a p-adic analogue of Baker’s 
theorem. (For more details of this reduction step, see for example [La 5, 
VI §1].) 


Remark 5.7. In order to obtain an effective bound for those points on an 
elliptic curve which satisfy f(P)e Rs, where f is an arbitrary non-constant 
function, it is also necessary to make the reduction step given in (3.2.2) 
effective. This essentially involves giving an effective version of the Riemann— 
Roch theorem, which has been done by Coates ([Co]). As the reader might 
guess from the number of reduction steps involved, the effective bounds 
which come out of the current proofs are quite large. To indicate their 
magnitude, we quote the following two results. (See also [Ko-T], (7.2) and 
(7.4).) 


Theorem 5.8. (a) (Baker [Ba, p. 45]) Let A, B, C, DeZ satisfy 
max {A, B, C, D} < H, and assume that 
E:Y? = AX? + BX?+CX+D 
is an elliptic curve. Then any point P = (x, y)€ E(Q) with x, yeZ satisfies 
max{|x|, |y|} < exp((10°H)*). 


(b) (Baker, Coates [Ba—C]) Let F(X, Y)e_Z[X, Y] be an absolutely irreduc- 
ible polynomial such that the curve F(X, Y) = 0 has genus 1. Assume that F has 
degree n, and that its coefficients all have absolute value at most H. Then any 
solution F(x, y) = 0 with x, yeZ satisfies 


max {|x|, ly|} < exp exp exp((2H)!0""’), 
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Linear Forms in Elliptic Logarithms 


Rather than reducing the problem of integral points on an elliptic curve to 
the question of solutions to the S-unit equation, and thence as above to 
bounds for linear forms in logarithms, one can work directly with the analy- 
tic parameterization of the elliptic curve. We will now briefly indicate how 
this is done in the simplest case. 

Let E/Q be an elliptic curve given by a Weierstrass equation 


E:y? = 4x3 — g.x —g3 
with g,, g,¢Z. We are interested in bounding the height of points Pe E(Q) 
which satisfy x(P) eZ. Let 
¢@:C/A > E(C) 


be the analytic parameterization of E(C) given by the Weierstrass y-function 
(cf. VI. 5.1.1). We fix a basis {@,, @,} for the lattice A. Let 


y:E(C)>C 


be the map inverse to ¢ which takes values in the fundamental parallelogram 
centered at 0. (Thus ¢ is the elliptic exponential map, and choosing a funda- 
mental parallogram for the elliptic logarithm is comparable to choosing a 
principal value for the ordinary logarithm function.) 

Fix a basis P,, .... P. for the free part of E(Q). Then given any point 
PeE(Q), we can write P=q,P,+-::+4,P.+T for certain integers 
41>--+> 4, and a torsion point Te E,,,,(Q). It follows that 


W(P) = gi W(P,) + °° + g.W(P,) + W(T) (mod A), 
so there are integers m, and m, such that 
W(P) = qi (Py) + 0° + WP) + W(T) + myo, + ma. 


Now suppose that P is a large integral point; that is, x(P)¢Z and |x(P)| is 
large. Then P is close to O (in the archimedean topology), and so (P) is close 
to 0. More precisely, since ¢9(z) = x(¢(z)) behaves like z~? for z close to 0, we 
see that 


(PII? < ey |x(PHt = cy Hx(P))* 


(Recall that if x eZ, x 4 0, then H(x) = |x|. The constant c, will depend on g, 
and g3.) 

On the other hand, using the quadracity and positive definiteness of the 
canonical height (VIII. 9.3 and VIII. 9.6), we can estimate 


log H(x(P)) = h,(P) = 2A(P) + O(1) 
= 2h(¥.q:P; + T) + O(1) 


ZC max {|q;l}7, 
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where c, will depend on E and the choice of the basis P,, ..., P.. (See exer. 
9.8.) Substituting this above, we obtain an upper bound for our linear form 
in elliptic logarithms: 


qiW(Py) +07 + G(R) + W(T) + myo, + mze0q| < cmon”, 
Further, since w, and w, are R-linearly independent, it is easy to see that 
max {|m,|, |m2|} < cq max{|q;l}, 
where c, depends on E, {P;}, w,, and w,. Thus we finally obtain 
lqiW(P,) +7 + 4,W(P) + ¥(T) + myo, + mo. < 5", 


with q= max {|q;l, Re ldrl, |m,|, |m|}. 

Now any lower bound C~™ for the left-hand side satisfying t(q)/q? — 0 as 
q— © will give the desired finiteness result. The first effective estimate of this 
sort was proven by Masser ([Mas]) in the case that E has complex multipli- 
cation. The general case was dealt with by Wiistholz ((Wti 1], [Wii 2]), who 
had to overcome great technical difficulties associated with the necessary 
zero and multiplicity estimates. 

It remains to discuss the question of effectivity. The reduction to linear 
forms in ordinary logarithms via the S-unit equation is fully effective. It is 
possible to give an explicit upper bound for the height of any S-integral point 
of E(K) in terms of easily computed quantities associated to K, S, and E. One 
of these quantities, for example, will be a bound for the heights of generators 
for the unit group R*. Now in the analogous reduction to linear forms in 
elliptic logarithms, one similarly chooses a set of generators for the Mordell— 
Weil group E(K); and the bound for the integral points then depends on the 
heights of these generators. Unfortunately, as we have seen (cf. VIII. 3.2 and 
Ch. X), the proof of the Mordell—Weil theorem is not effective. Thus although 
the approach to integral points on elliptic curves via elliptic logarithms seems 
much more natural than the roundabout route through the S-unit equation, 
it is likely to remain ineffective until an effective proof of the Mordell—Weil 
theorem is found. 


§6. Shafarevich’s Theorem 


Recall that an elliptic curve E/K has good reduction at a finite place ve Mg if 
it has a Weierstrass equation whose coefficients are v-integral and whose 
discriminant is a v-adic unit (cf. VII §5). 


Theorem 6.1 (Shafarevich [Sha]). Let S c Mx be a finite set of places con- 
taining MZ. Then up to isomorphism over K, there are only finitely many 
elliptic curves E/K having good reduction at all primes not in S. 
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Proor. Clearly we are proving something stronger if we enlarge S. We may 
thus assume that S contains all primes of K lying over 2 and 3. Further, we 
may enlarge S so that the ring of S-integers R; has class number 1. 

Now under these assumptions, (VIII. 8.7) says that any elliptic curve E/K 
has a Weierstrass equation of the form 


E:y?=x3+Ax+B A, BERs, 


with discriminant A = —16(4A? + 27B?) satisfying ARs = DgxRs. (Here 
QBz/x is the minimal discriminant of E/K. Cf. (VIII §8).) Note that if E has 
good reduction outside of S, then ord,(Dz/x) = 0 for all primes v not in S; and 
so A will be in R¥. 

Assume now that we are given a sequence of elliptic curves E,/K, E,/K, ..., 
each of which has good reduction outside of S. Associate to each E; an 
equation as above with coefficients A;, B;¢ Rs and discriminant A;e R¥. We 
break the sequence of E,’s into finitely many subsequences according to the 
residue class of A; in the finite group R¥/(R¥)'?. Restricting attention to one 
such subsequence, we may assume that A; = CD}? for a fixed C and some 
D,é R&. 

Now the formula A = — 16(4A? + 27B?) implies that for each i, the point 
(—12A,/D}, 72B;/D£) is an S-integral point on the elliptic curve 


Ye XO 2G, 
Siegel’s theorem (3.2.1) says that there are only finitely many such points, and 
so only finitely many possibilities for A;/D* and B,/D®. But if 
A,/Dj = A;/D* and  B;,/Df = B,/D§, 
then the change of variables 
x= (D;/D;)?x' y= (D,/D,)*y’ 
gives an isomorphism from E; to E;. Hence the sequence of E,’s contains only 


finitely many K-isomorphism classes of elliptic curves. Oo 


Example 6.1.1. There are no elliptic curves E/Q having everywhere good 
reduction (exer. 8.15). For a complete list of the 24 curves E/Q having good 
reduction outside of {2} and the 784 curves E/Q having good reduction 
outside of {2, 3}, see [B—K, Table 4]. Similar lists have also been compiled 
for various quadratic number fields; see for example [Las 2] and [Pi]. 


Shafarevich’s theorem (6.1) has a number of important applications. We 
will content ourselves with the following two corollaries. 


Corollary 6.2. Fix an elliptic curve E/K. Then there are only finitely many 
elliptic curves E'/K which are K-isogenous to E. 


Proor. If E and E’ are isogenous over K, then (VII.7.2) says that E and E’ 
have the same set of primes of bad reduction. Now apply (6.1). oO 
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Corollary 6.3 (Serre). Let E/K be an elliptic curve with no complex multiplica- 
tion. Then for all but finitely many primes ¢, the group of ¢-torsion points 
E[@] has no non-trivial Gg,x-invariant subgroups. [I.e. The representation of 
Gx on E[?¢] is irreducible. ] 


Proor. Suppose that ®, c E[#] is a non-trivial Gg,x-invariant subgroup. 
Since E[/] = (Z/¢Z)*, ®, is necessarily cyclic of order 7. Further, from 
(II1.4.12), there exists an elliptic curve E,;/K and an isogeny ¢;: E > E; de- 
fined over K with ker(¢,) = ®,. 

Since each such E; is isogenous to E, (6.2) says that the E,’s fall into finitely 
many K-isomorphism classes. Suppose that E, = E,. for two primes 7 and ¢. 
Then the composition 


ESE,2E,SE 
gives an endomorphism of E of degree 
(deg ¢,)(deg ¢,,) = ¢¢’. 


But by assumption, End(E) = Z, so every endomorphism of E has degree n?” 
for some néZ. This shows that ? = 7’, and so the E,/’s are pairwise non- 
isomorphic for distinct primes ?. Therefore there are only finitely many 
primes 7 for which such a ®, and E, can exist. oO 


Example 6.4. For K = Q, results of Mazur ([Maz 2]) and Kenku ([Ke]) give 
a far more precise statement than (6.2). They show that for a given elliptic 
curve E/Q, there are at most eight Q-isomorphism classes of elliptic curves 
E'/Q which are Q-isogenous to E. Further, if 6: E> E’ is a Q-isogeny for 
which ker(@) is a cyclic group, then either 


1<deg¢<19, or deg de {21, 25, 27, 37, 43, 67, 163}. 


It is no coincidence that those d’s for which Q(,/—d) has class number 1 
appear as possibilities for deg ¢. This is because the class number 1 condition 
allows the elliptic curve E corresponding to the lattice 


Z+Zb+4,/—d) 
via (VI. 5.1.1) to be defined over Q. (See C. 11.3.1.) Now one need merely note 
that multiplication by ./—d gives an isogeny from E to itself whose kernel ® 
is cyclic of order d and defined over Q. Then E > E/® is a cyclic isogeny of 
degree d. 


Remark 6.5. An examination of the proof of (6.1) reveals an interesting possi- 
bility. If one had some other proof of (6.1) which did not use either Siegel’s 
theorem or Diophantine approximation techniques, then one could deduce 
that the equation 


Y?=X°+D 
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has only finitely many solutions X, Ye Rs. For given such a solution, the 
equation 


yy>=x3—-Xx-—Y 
would be an elliptic curve with good reduction outside of 
Su {primes dividing 2 and 3}. 


Hence assuming (6.1), there would be only finitely many such curves, and one 
could argue back to the finiteness of the number of pairs (X, Y). Building on 
this idea, Parshin ([Pa]) showed how a generalization of (6.1) to curves of 
higher genus (which had already been conjectured by Shafarevich [Sha 1]) 
could be used to prove Mordell’s conjecture that curves of genus greater 
than 1 have only finitely many rational points. The subsequent proof of 
Shafarevich’s conjecture by Faltings ([Fa 1]) completed this chain of reason- 
ing. Faltings’ proof (together with Parshin’s idea) also gives a proof of Siegel’s 
theorem (3.2) which does not involve the use of Diophantine approximation. 


§7. The Curve Y? = X37 + D 


Many of the general results known or conjectured about the arithmetic of 
elliptic curves were originally noticed and tested on various special sorts of 
equations, such as the one given in the title of this section. For example, long 
before the work of Mordell and Siegel led to general finiteness results such as 
(3.2), many special cases had been proven by a variety of methods. (See, e.g., 
[Mo 4, Ch. 26].) We give two examples where the complete set of solutions 
can be obtained by relatively elementary means. 


Proposition 7.1. (a) The equation 
y=xP2+7 


has no solutions in integers x, ye Z. 
(b) (Fermat) The only integral solutions to the equation 


yr=x3-2 
are (x, y) = (3, +5). 
Proor. (a) Suppose that x, ye Z satisfy y? = x? + 7. First, note that x must 


be odd, since no integer of the form 8k + 7 is a square. Now rewrite the 
equation as 


y?>+1=x3 +8 =(x + 2)(x? — 2x + 4). 
Since x is odd, 


x? 2x +4=(x —1)? +3 =3(mod 4), 
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so we can choose a prime p = 3 (mod 4) which divides x? — 2x + 4. But then 
y? + 1 = 0 (mod p), which is not possible. 
(b) Suppose we have a solution x, ye Z to y? = x3 — 2. Factor the equation 


as 
(y+ /-2)(y — f-2) = x°. 
Since the ring R = Z[,/—2] is a principal ideal domain, and the greatest 


common divisor of y + ./—2 and y — ./ —2 (in R) clearly divides 2,/—2, 
we see that y + ./ —2 can be written as 


y+ /-2 = © or S-203 or 263 


for some Ce R. Applying complex conjugation gives 
Popa d SO er “Saf 2 ver 20: 
and now taking the product yields 
xe = yt+2 = (OP or 2(¢0) or 4(CC)*. 


Since (€€ Z, this shows that only the first case is possible, so 


y+ /-2=@ and y—/-2=03. 
Subtracting these equations gives 
2/-2=0-P=C-HC + +0), 
Now write €=a+ be =o with a, be Z. Substituting this above yields 
2,/—2 = 2./—2b(3a? — 2b); 


so using the fact that a and b are rational integers, we must have 
b=+1 and 3a? — 2b? = +1. 


Therefore (a, b) = (+1, +1) (with independent + signs); and working back, 
these lead to the values (x, y) = (3, +5). Oo 


Remark 7.1.1. It is worth remarking that the result in (7.1b) is far more 
interesting than that of (7.1a). This is because the Mordell-Weil group (over 
Q) of the elliptic curve y? = x? + 7 turns out to be trivial, so (7.1a) is really a 
reflection of the fact that the equation has no rational points. On the other 
hand, the Mordell—Weil group of y* = x? — 2 is infinite cyclic (cf. exer. 10.19), 
so (7.1b) says that in its infinite set of rational points, there are only two 
integral points. 

Baker applied his methods to obtain an explicit upper bound, in terms of 
D, for the integral solutions of y? = x? + D. This bound was refined by Stark, 
who proved the following. 


268 IX. Integral Points on Elliptic Curves 


Theorem 7.2 (Stark [Sta]). For every ¢ > 0 there is an effectively computable 
constant C,, depending only on , so that the following holds. Let De Z, D # 0. 
Then every solution x, yéZ to the equation 


y=xi+D 
satisfies 


log max{|x|, yl} < C,|D|***. 


Example 7.3. Stark’s estimate (7.2) gives a bound for x and y which is slightly 
worse than exponential in D. One naturally would like to know whether this 
is the correct order of magnitude. A number of people have conducted com- 
puter searches for large solutions (see, e.g., [Lal] or [Hal]). Among the 
interesting examples found were 


378,661? = 52343 + 17 
911,054,064? = 939,7873 — 307 
149,651,610,621? = 28,187,3513 + 1090. 


Although these examples show that x and y can be quite large in comparison 
to D, a close examination of his data led M. Hall to make the following 
conjecture, which was subsequently partly generalized by Lang. 


Conjecture 7.4. (a) (Hall [Ha1]): For every ¢ > 0 there is a constant C,, de- 
pending only on ¢, so that the following holds. Let De Z, D # 0. Then every 
solution x, ye Z to the equation 

yy =x3+D 
satisfies 

|x| < C,D?*®, 


(b) (Hall-Lang [La 9]) There are absolute constants C, x > 0 such that if 
E/Q is an elliptic curve given by a Weierstrass equation 


yy=x3+Ax+B  A,BeZ, 
and if P € E(Q) is an integral point (i.e. x(P)€ Z), then 
|x(P)| < C max {|A|, |B|}". 


The evidence for these conjectures is fragmentary. They are true for func- 
tion fields (Davenport [Dav] for (7.4a) and Schmidt [Schm 1] for (7.4b)). 
Further, Vojta ([Voj]) has shown how (7.4a) is a consequence of his very 
general Nevanlinna-type conjectures for varieties over number fields; but 
Vojta’s conjectures seem well beyond the reach of current techniques. (Also 
see exer. 9.10.) Aside from this, very little is known. It is worth pointing out 
that the effective techniques in section 5 seem intrinsically incapable of lead- 
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ing to estimates like (7.4). Let us explain what the problem is, say for the 
equation y? = x° 4+ D. 

In performing the reduction to the S-unit equation, one deals with a num- 
ber field K whose discriminant looks like a power of |D|. Now the Brauer— 
Siegel theorem says that log(hx Rx) ~ 4 log dx as [K : Q]/log d, > 0, where 
hx is the class number, Rx is the regulator, and d, is the absolute discriminant 
of K. (See, e.g., [La 2, Ch. XVI].) In general there is no reason to expect the 
class number of K to be large, so the best that one can hope for is to find a 
bound for the regulator which is a power of |D|. Since the regulator is a 
determinant of the logarithms of a basis for the unit group R*, the resulting 
bounds for the heights H(«;) of generators «;€ R* will be exponential in |D]. 
This eventually leads to an exponential bound for x and y as in (7.2). 

There is a similar problem in trying to prove (7.4) by using linear forms in 
elliptic logarithms or by following Siegel’s method of proof as in (3.1) (even 
assuming that one could find a strong effective version of Roth’s theorem). Of 
course, neither of these methods is effective, since the Mordell—Weil theorem 
is not effective. But in any case, it seems likely (cf. VIII. 10.2) that the best 
possible upper bound for generators of the Mordell-Weil group of y? = 
x3 + D will have the form h(P) < C|D|*. Here h is a logarithmic height, so 
again this will lead to a bound for the x-coordinate of integral points which 
is exponential in |D]. 

The problem in both cases can be explained most clearly by the analogy 
given in (4.2.1). In solving the S-unit equation and in finding the integral 
points on an elliptic curve, one is initially given a finitely generated group 
(R$ x R§&, resp. E(K)) and a certain exceptional subset (solutions to 
ax + by = 1, resp. points with x(P)e R;). The first step is to choose a basis for 
the finitely generated group and express the exceptional points in terms of 
this basis. Now the problem that arises in trying to prove (7.4) (or the 
analogous estimate for the S-unit equation) is that in general, the best upper 
bound (conjecturally) obtainable for the heights of the basis elements is 
exponentially larger than the desired bound for the exceptional points! The 
moral of this story, assuming the validity of the various conjectures, is that a 
randomly chosen elliptic curve is unlikely to have any integral points at all. 
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In this section we give a brief sketch of the principal steps which go into the 
proof of Roth’s theorem (1.4). None of these steps are particularly deep, but 
the details needed to make them rigorous are quite lengthy. (See [Schm 2] 
or [La 7, Ch. 7].) 

We assume given an « eK, a ve Mg, and real numbers C, ¢ > 0. It is desired 
to prove that there are only finitely many xe K satisfying 


|x — al, < CHx(x) 7. 
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Step I: An Auxiliary Polynomial 


For any given integers m, d,,..., d,,, one uses elementary estimates and the 
pigeon-hole principle to construct a polynomial 


P(X,,..., Xp)€RLX4,-.-, Xml 


of degree d; in X; which vanishes to fairly high order (in terms of m and the 
d,s) at the point («,..., «). Further, one shows that P can be chosen with 
coefficients having fairly small heights, the bound for the heights being given 
explicitly in terms of «, m, and the d,’s. 


Step II: An Upper Bound for P 


Suppose now that we are given elements x,,..., x,,€K satisfying 
|x; — al, < CH,(x,)?7-* = forl <i<m. 


Then using the Taylor series expansion for P(X,,..., X,,) around (a, ..., a) 
and the fact that P vanishes to high order at (a,...,«), one shows that 
| P(X, -++) Xm)lp is fairly small. 


Step II: A Non-Vanishing Result (Roth’s Lemma) 


Suppose that the degrees d,,..., d,, are fairly rapidly decreasing (the rate of 
decrease depending on m), and suppose that x,,..., x,,€K have the property 
that their heights are fairly rapidly increasing (the rate of increase depending 
on mand d,,..., d,,). Suppose further that P(X,,..., X,,)€R[X,,..., Xm] has 
degree d; in.X; and coefficients whose heights are bounded in terms of d, and 
h(x,). Then one shows that P does not vanish to too high an order at 
(X15. +65 Xm): 

This is the hardest step in Roth’s theorem. In Thue’s original theorem, he 
used a polynomial of the form P(X, Y) = f(X) + g(X)¥, and obtained an ap- 
proximation exponent t(d) = 4d + ¢. The improvements of Siegel, Gelfond, 
and Dyson used a general polynomial in 2 variables. It was clear at that time 
that the way to obtain t(d) = 2 + ¢ was to use polynomials in more variables; 
the only stumbling block was the lack of a non-vanishing result such as the 
one we have just described. 

The proof of Roth’s lemma is by induction on m, the number of variables in 
the polynomial P. If P factors as 


P(X, sees Xn) => F(X,)G(X,, ory Xin)s 


then the induction proceeds fairly smoothly. Of course, this is unlikely to 
happen. What one does is construct differential operators Y, so that the 
generalized Wronskian determinant det(9,,P) is a non-zero polynomial 
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which does factor in the above fashion. It is then a fairly delicate matter to 
estimate the degrees and heights of the coefficients of the resulting poly- 
nomial, and show that they have not grown too large to allow the inductive 
hypothesis to be applied. 


Step IV: The Final Estimate 


Suppose that the inequality 
|x — ol, < CH x(x)? 


has infinitely many solutions x € K. We derive a contradiction as follows. 
First choose a value for m depending on «, C, and [K(a): K]. Second 
choose x,,..., X,,€K in succession satisfying 


|x; a, < CHx(x;)?~, 


such that H,(x,) is large (depending on m), and H,(x;.,) > Hx(x;)* for some 
constant x depending only on m. Third choose a large integer d, (depending 
on m and the H,(x;)’s), and then choose d,, ..., d,, in terms of d, and the 
H,(x;)’s. We are now ready to apply the results detailed above. 

Using step I, choose a polynomial P(X,,..., X,,) of degree d; in X; which 
vanishes to high order at (a, ..., «). (The order of vanishing will depend on m 
and the d,s.) From step III, P does not vanish to too high an order at 


(x1, --+) Xm), $0 we choose a low-order non-vanishing partial derivative 
oi a eh 
Z =P, Xm) F O- 
axis... aXim O n) 


From step II, |z|, is fairly small. On the other hand, since z 4 0, one can use 
the product formula to show that |z|, cannot be too small. Specifically, one 
shows that |z|, > H(z)": (cf. exer. 9.9). Now using elementary (triangle 
inequality) estimates, one finds a lower bound for H,(z)~'. Combining this 
with the upper bound provided by step II, some algebra gives a contradic- 
tion. It follows that the inequality 


|x — a], < CHx(x)?~* 


has only finitely many solutions. 


Remark 8.1. Examining the above proof sketch, especially the sequence of 
choices in step IV, it is clear why one does not obtain an effective procedure 
for finding all xe K satisfying |x — «|, < CH,(x)"?~*. What the proof shows 
is that one cannot find a long sequence of such x,’s with heights growing 
sufficiently rapidly, where the terms “long sequence” and “sufficiently rapid- 
ly” can be made completely explicit in terms of K, a, ¢, and C. The problem is 
that the required growth of the height of each x; is given in terms of the height 
of its predecessor. What this boils down to is that if one can find a large 
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number of good approximations to « whose heights are sufficiently large, 
then one can obtain a bound for all of the other possible good approxi- 
mations to a in terms of the approximations one has. Unfortunately, the 
bounds which come out of Roth’s theorem are so large, it is highly unlikely 
that there will be even a single good approximation to « of the requisite 
height. 

Using a slight elaboration of the argument given above, it is even possible 
to give explicit constants C, and C,, depending on K, a, ¢, and C, such that 
the inequality 

|x — al, < CHy(x) 7 
has at most C, solutions xeK satisfying H,x(x) > C,. (See [Mig], for 
example.) Further, it is most unlikely that there are any solutions at all with 
H,(x) > C,. But the proof of Roth’s theorem does not preclude the existence 
of these large solutions, and it provides no tools with which to find them if 
they exist! 


EXERCISES 


9.1. Let (¢(n)),-1,2,.., be a sequence of positive real numbers. We say that a number 
a€R is ¢-approximable (over Q) if there are infinitely many p/qe€ Q satisfying 


Ja — p/q| < 1/q¢(q). 


(E.g. Roth’s theorem (1.4) says that no element of Q is n 
(a) Prove that for any ¢ > 0, 


1*_approximable.) 


ite 


{aeR: ais n'**-approximable} 


is a set of measure 0. 
(b) More generally, prove that if the series 21/¢(n) converges, then 


{aeR:a is ¢-approximable} 
is a set of measure 0. 


9.2. (a) Use Liouville’s theorem (1.3) to prove that the number £2™ is tran- 
scendental. 
(b) More generally, let (e(n)),=1,2,... be a sequence of real numbers with the 
property that for every d > 0, there is a constant C, > 0 such that 


e(n)>Cyn* —foralln =1,2,.... 


Prove that for every integer b > 2, the sequence Zb~*” defines a transcen- 
dental number. 


9.3. For each integer m # 0, let 
N(m) = # {(x, y)eZ?: y? = x3 + m}. 


(N(m) is finite from (3.2).) 

(a) Prove that N(m) can be arbitrarily large. [Hint: Choose an mp so that 
y? = x3 + m, has infinitely many rational solutions, and then clear the 
denominators of a lot of them.] 
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9.4. 


9.5. 


9.6. 


9.7. 


(b) More precisely, prove that there is an absolute constant c > 0 such that 
N(m) > c(log |m])** 


for infinitely many me Z. [Hint: Use height functions to estimate the size 
of the denominators cleared in (a).] 

(c)** Prove that N(m) is unbounded as m ranges over sixth-power-free integers 
(i.e. integers divisible by no non-trivial sixth power). 


Let E/Q be an elliptic curve, and suppose that Pe E(Q) is a point of infinite 
order. For each prime peéZ for which E has good reduction, let n, be the order 
of the reduced point P in the finite group E( F,). Prove that there are only finitely 
many positive integers which do not occur as an n, for some prime p. [Hint: 
You will need the strong form of Siegel’s theorem. Specifically, see (3.3).] 


(a) Let f(T) =a )T" +--+ a,€Z[T] be a polynomial with aya, 4 0 and dis- 
tinct roots €,,..., €,€C. Let A = max{|apl, ..., |a,|}. Prove that for every 
teQ, 

| f(0)| > (2n7A)™ min {lt — Sy), -..,|t — Gl} 


(b) Let f(T) =aj)T" +---+a,€K[T] be a polynomial with distinct roots 
€,,...,¢6,€K. Let S c My bea finite set of places of K, each extended in some 
fashion to K. Prove that there is a constant C,, depending only on f and S, 
so that for every te K, 

T] min{1, fi} = C, [] max {1, |t — Er}. 
veS veS 1<i<n 

(c) Find an explicit expression for C, which involves only n and 
Ax([ao, aay a,]). 


(a) Let F(X, Y)e ZX, Y] be a homogeneous polynomial of degree d > 3 with 
non-zero discriminant. Prove that for every non-zero integer b, Thue’s 
equation 

F(X, Y)=b 


has only finitely many solutions (x, y)¢Z?. [Hint: Let f(T) = F(T, 1), and 
write b = F(x, y) = y"f(x/y). Now use (exer. 9.5a) and (1.4).] 

(b) More generally, let F(X, Y)e KX, Y] be a homogeneous polynomial of 
degree d > 3 with non-zero discriminant, and let S < M, be a finite set of 
places containing Mf. Prove that for every be K*, the equation 


F(X, Y)=b 


has only finitely many solutions (x, y)e Rs x Rs. 7 
(c) Let f(X)e€K[X] be a polynomial with at least two distinct roots (in K), let 
S < Mx be as in (b), and let n > 3 be an integer. Prove that the equation 


y" = f(X) 


has only finitely many solutions (x, y)e Rs x Rs. [Hint: Mimic the 
proof of (4.3) until you end up with a number of equations of the form 
aW" + bZ" = c, and then use (b).] 


Let E/K be an elliptic curve without complex multiplication. Prove that for 
every prime /, the representation of Gx), on the Q,-vector space T,(E) ® Q, is 
irreducible. 
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9.8. 


9.9. 


9.10. 
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(a) Let ||-|| be the usual Euclidean norm on R’, and let {v,,..., v,} be a basis for 
R". Prove that there is a constant c>0, depending only on n and 
{v,,..., D,}, such that 

|Xaivil] > max{|qjl}. 

(b) Let A < R" be a lattice. Prove that there exists a basis {v,,..., v,} for A and 

a constant c, > 0 depending only on nso that 


4,0; I 2 és), la,v; \|?. 


[Hint: Ideally, one would like to choose an orthogonal basis for A. This may 
not be possible, but mimic the Gram—Schmidt process to find a basis which 
is as orthogonal as possible.] 

(c) Let ||- ||, and ||- ||, be norms on R”. (Le. They satisfy ||v|| > 0, |v|| = 0 if and 
only if v = 0, ||av|| < |a|||v]], and ||v + wi] < |||] + || w]l.) Prove that there 
are constants c,, c, > 0 such that 


cy {loll, < loll, <cailolly for all veR. 


Deduce that an estimate as in (a) holds for any norm on R’. 

(d) Let Q be a positive definite.quadratic form on R". Prove that there is a 
constant c > 0, depending on n and Q, such that for any integral lattice 
point (a,,...,a,)EZ" < R’, 

Q(a,,..-,4,) > c max{|a,|,..., |a,|}?. 


(e) Let E/K be an elliptic curve and P,,..., P, a basis for the free part of E(K). 
Prove that there is a constant c > 0, depending on E and P,, ..., P., such 
that for all integers m,,..., m,, 


h(m, P, + +++ +_m,P,) > c max{|my|,..., |m,|}?. 


Let ze K,z #0. 
(a) Prove that for any ve Mx, 


zl, > Hg(z)"*. 


(b) More generally, prove that for any (not necessarily finite) set of absolute 
values S c Mx, 


[] min{1, |z[} > Ag(z)"?. 

veS 
(This lemma, trivial as it appears, lies at the heart of all known proofs in 
Diophantine approximation and transcendence theory. In its simplest guise, 


namely for K = Q, it asserts nothing more than the fact that there are no 
positive integers less than 1!) 


Prove that there is an (absolute) constant C > 0 such that the inequality 
0 <|y? — x3] < C/|x| 
has infinitely many solutions (x, y)¢ Z?. [Hint: Verify the identity 
(t? — 5)?((t + 9)? + 4) — (t? + 6 — 11)? = —1728(t — 2). 


Then take solutions to u? — 2v? = —1, and set t = 2u — 9. This leads to a value 
C = 432,/2 + efor anye >0.] 
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9.11. 


9.12. 


9.13. 


9.14. 


(a) Let d = 2 (mod 4) and D = d? — 1. Prove that the equation 
y=x3+D 


has no solutions x, ye Z. 
(b) For each of the primes p in the set {11, 19, 43, 67, 163}, find all solutions 
x, y€Z to the equation 
y= x —p. 


[ Hint: Work in the ring R = Z[3(1 + ./—p)]. Note that R is a principal 
ideal domain, and 2 does not split in R.] 


Let E/Q be an elliptic curve given by a Weierstrass equation 
E:y? + a,xy + a3y = x° + a,x? + ayx + dg 


with a,,...,a,¢Z. Let Pe E(Q) be a point of infinite order; and suppose that for 
some integer m > 1, x([m]P)eZ. Prove that x(P)e Z. (This result is often useful 
in searching for integral points on elliptic curves of rank 1. See the next exercise 
for an example.) 


Let E/Q be the elliptic curve given by the equation 
E:y+y=x3—x. 


Assume as given that E(Q) has rank 1. (See exer. 10.9 for a proof of this fact.) 

(a) Prove that E,,,,(Q@) = {O}, and hence that E(Q) = Z. 

(b) Prove that (0, 0) is a generator for E(Q). [Hint: Make a sketch of E(R), and 
show that (0, 0) is not on the identity component. Use (exer. 9.12) to con- 
clude that a generator for E(Q) must be an integer point on the non-identity 
component, and find all such points. ] 

(c) Find all of the integer points on E. [Hint: Let P = (0, 0). Suppose [m]P is 
integral. Write m = 27n with n odd, and use (exer. 9.12) to show that [n] P is 
integral. Use an argument as in (b) to find all possible values for n, and then 
do some computations to find the possible a’s.] 

(d) Solve the following classical number theory problem: Find all positive 
integers which are simultaneously the product of two consecutive positive 
integers and the product of three consecutive positive integers. 


Let C/K be a curve, and let f, gé K(C) be non-constant functions. 
(a)* Prove that 
h,(P 
Limit 2) _ dee 
peem h(P) deg g 


(b) Prove that for every ¢ > 0 there exists a constant c = c(f, g, ¢) such that 
(deg g)h,(P) — (deg f)h,(P)| < eh,(P) +c for all PeC(K). 


(c) Suppose that C is an elliptic curve. Prove that there is a constant 
c=c(f, m, €) such that 
|h,([m]P) — m7h,(P)| < eh,(P)+¢ for all PeC(K). 


(Note that f need not be even. Compare with (VIII. 6.4b).) 
(d) Prove that (3.1) is true‘for any non-constant function f ¢ K(E). Use this to 
prove (3.2.2) directly, without reducing first to (3.2.1). 


CHAPTER X 
Computing the Mordell—Weil Group 


A better title for this chapter might have been “Computing the Weak 
Mordell—-Weil Group”, since we will be concerned solely with the problem of 
computing generators for the group E(K)/mE(K). However, given generators 
for E(K)/mE(K), a finite amount of computation will always yield generators 
for E(K). (See (VIII.3.2) and (exer. 8.18).) Unfortunately, there is no compar- 
able algorithm currently known which is guaranteed to give generators for 
E(K)/mE(K) in a finite amount of time! 

We start in section 1 by taking the proof of the weak Mordell—Weil 
theorem given in (VIII §1) and making it quite explicit. In this way the 
computation of E(K)/mE(K) (in a special case) is reduced to the problem of 
determining whether each of a certain finite set of auxiliary curves, called 
homogeneous spaces, has a single rational point. Then the question of whether 
a given homogeneous space has a rational point may often be answered 
either affirmatively, by finding such a point; or negatively, by showing, for 
example, that it has no points in some completion K, of K. 

The next two sections develop the general theory of homogeneous spaces 
(for elliptic curves). Then in section 4 we apply this theory to the problem of 
computing E(K)/mE(K); or, more generally, E’(K)/¢(E(K)) for any isogeny 
¢: E — E’. Again this computation is reduced to the problem of the existence 
of a single rational point on certain homogeneous spaces. The only impedi- 
ment to solving this latter problem occurs if some homogeneous space has a 
K,-rational point for every completion K, of K, yet none-the-less has no 
K-rational points. Unfortunately this precise situation, the failure of the so- 
called Hasse Principle, can certainly occur. The extent of its failure is quanti- 
fied by the elements of a certain group, called the Shafarevich—Tate group. 
The question of an effective algorithm for the computation of E(K)/mE(K) is 
thus finally reduced to the problem of giving a bound for divisibility in the 
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Shafarevich—Tate group (or even better, proving the conjecture that is is 
actually a finite group). 

In the last section we illustrate our general theory by studying in some 
detail the family of elliptic curves given by the equations 


Ey: Y2=X3+DX  DeQ. 


In particular, we find the torsion subgroup and an upper bound for the rank 
of E,(Q), give a large class of examples for which E)(Q) has rank 0, and show 
that in certain cases Ep(Q) has an associated homogeneous space which 
violates the Hasse principle. (I.e. The homogeneous space has points defined 
over R and Q, for every prime p, but has no Q-rational points.) 

Unless explicitly stated to the contrary, the notation for this chapter will be 
the same as that of chapter VIII. In particular, K will be a number field and 
Mx a complete set of inequivalent absolute values for K. However, as in- 
dicated in the text, this requirement is dropped in sections 2, 3, and 5 of this 
chapter, where K is allowed to be an arbitrary (perfect) field. 


§1. An Example 


For this section we let E/K be an elliptic curve, m > 2 an integer, and we 
assume that E[m] c E(K). Recall (VIII §1) that under this assumption there 
is a pairing 
kK: E(K) x Gg > E[m] 
defined by 
K(P, o) = Q° —Q, 
where Qc E is chosen so that [m]Q = P. Since the kernel of x on the left is 
mE(K) (VIII.1.2), we may also think of x as giving a homomorphism 
dg: E(K)/mE(K) + Hom(Gg,x, E[m]) 
5,(P)(a) = K(P, 0). 
(This is the connecting homomorphism for the long exact sequence in group 
cohomology; see (VIII §2).) 
Next we note that E[m] < E(K) implies that p,,¢ K* (IIL8.1.1). This 
follows from the basic properties of the Weil pairing (III §8) 
m: E[m] x E[m] > pp, 


which we will use extensively below. 

Finally, since p,, < K*, Hilbert’s theorem 90 (B.2.5c) says that every homo- 
morphism Gg/x > 1, has the form o > B/B for some Be K* with B™eK*. In 
other words, we have an isomorphism (cf. VIII §2) 


Ox : K*/K*™ m4 Hom(Gx,/x, Bin) 
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defined by 
5x(b)(o) = B°/B, 


where Be K* is chosen so that 6” = b. (Notice the close resemblence in the 
definitions of 6, and dx. This is no coincidence. 6, is the connecting homo- 
morphism for the Kummer sequence associated to the group variety E/K, 
and 6, is the connecting homomorphism for the Kummer sequence as- 
sociated to the group variety G,,/K.) 

Using the above maps, we can now make the argument in the proof of the 
weak Mordell—Weil theorem much more explicit, and in this way derive 
formulas which will allow us to compute the Mordell—Weil group in certain 
cases. We start with a theoretical description of this method. 


Theorem 1.1. (a) With notation as above, there is a bilinear pairing 
b: E(K)/mE(K) x E[m] > K*/K*™ 
such that 
em(Se(P), T) = dx(b(P, T)). 


(b) The pairing in (a) is non-degenerate on the left. 

(c) Let S < Mx be the set of infinite places, together with the finite primes at 
which E has bad reduction and the primes dividing m. Then the image of the 
pairing in (a) lies in the subgroup of K*/K*™ given by 


K(S, m) = {be K*/K*": ord,(b) = 0 (mod m) for all v¢ S}. 


(d) The pairing in (a) may be computed as follows: For each Te E[m], choose 
functions fr, gy € K(E) satisfying the conditions 


div(f7) = m(T)—m(O), — fro[m] = gr. 
(See the definition of the Weil pairing in (III §8).) Then provided P # T, 
b(P, T) = f7(P) (mod K*"). 


[If P = T, one can use linearity. For example, if [2]T # O, then b(T, T) = 
fr(—T)". More generally, choose any other point Pé E(K) with P # T, and 
set b(T, T) = f(T + P)fr(P)*.] 


Remark 1.2. Why do we say that (1.1) provides formulas with which to try to 
compute the Mordell—Weil group? First, the group K(S, m) in (b) is finite (see 
the proof of (VIII.1.6)); and in fact it is quite easy to compute explicitly. 
Second, the functions f; in (c) are also fairly easy to compute from the 
equation of the curve. Now, the fact that the pairing in (a) is non-degenerate 
on the left means that in order to compute E(K)/mE(K), it is “only” necessary 
to do the following. Fix generators T, and T, for E[m]. Then for each of the 
finitely many pairs 


(b,, b,)€ K(S, m) x K(S, m), 
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see if it is possible to solve the equations 


bizt = fr,(P) —b23 = fr,(P) 


with points (P, z,, Z,)€ E(K) x K* x K*. To be even more explicit, we can 
express the function f; in terms of Weierstrass coordinates x and y; and then 
we are looking for a solution (x, y, z,, 2.)¢K x K x K* x K* satisfying the 
simultaneous equations 


y? + ayxy + a3y = x3 + a,x? + ax + 6 
by 27 = fr, (x, y) b223 = fr, (x, y). 


These equations give a new curve, called a homogeneous space for E/K. (See 
§3 for more details.) What we have done is reduce the problem of calculating 
E(K)/mE(K) to the problem of the existence or non-existence of a single 
rational point on each of an explicitly given finite set of curves. Now fre- 
quently many of these curves can be immediately eliminated from consid- 
eration, because they have no points over some completion K, of K (which 
is an easy matter to check). On the other hand, a short search (by hand or 
computer) will often uncover rational points on some of the others. If in this 
way one can deal with all of the homogeneous spaces in question, then the 
determination of E(K)/mE(K) is complete. The problem that arises is that 
occasionally a homogeneous space will have points defined over every com- 
pletion K,, but never-the-less have no K-rational points. It is this situation, 
the failure of the Hasse principle, which makes the Mordell—Weil theorem 
ineffective. 


Remark 1.3. Notice that the condition div(f;) = m(T) — m(O) in (1.1d) is 
only enough to specify f; up to multiplication by an arbitrary element of K*. 
But the equality f;0[m] = gf with g;¢ K(E) means that in fact f; is well- 
determined up to multiplication by an element of K*”. Thus the value f;(P) 
in (1.1d) does give a well-defined element of K*/K*". 


We now proceed to the proof of (1.1), after which we will study the case 
m = 2 in more detail, and use it to compute E(K)/2E(K) for an example. 


Proor oF 1.1. (a) Hilbert’s theorem 90 (B.2.5c) shows that the pairing is 
well-defined. The bilinearity follows from the bilinearity of the Kummer 
pairing (VIII.1.2b) and the bilinearity of the Weil e,,-pairing (III.8.1a). 

(b) To prove non-degeneracy on the left, we suppose that b(P, T) = 1 for all 
Te E[m]. This means that for all Te E[m] and all oe Ggix, 


én(K(P, 0), T) = 1. 


Now the non-degeneracy of the Weil pairing (III.8.1c) implies that «(P, ¢) =O 
for all o; so from (VIII.1.2c), Pe mE(K). 

(c) Let B = b(P, T)'”. Tracing through the definitions, we see that the field 
K(f) is contained in the field L = K([m]~'E(K)) described in (VIII.1.2d). 
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From (VIII.1.5b), the extension L/K is unramified outside S. But it is easy to 
see that if ve M, is a finite place with v(m) = 0, then the extension K()/K is 
ramified at v if and only if 


ord,(B™") = 0 (mod m). 


(Here ord, : K*—> Z is the normalized valuation associated to v.) This says 
precisely that b(P, T)€ K(S, m). 

(d) Choose QEE so that P = [m]Q, and Be K* so that b(P, T) = 6”. By 
definition, we have (for all o € Gxx), 


&m(Oe(P)(o), T) = dx(b(P, T))(0), 
em(Q° — Q, T) = B’/B, 
9r(X + O° — Q)/gr(X) = B’/B, 
9r(Q)"/9r(Q) = B°/B — putting X = Q. 


Since 6, is an isomorphism, it follows that g-(Q)" = B™ (mod K*”). (Note 
that g;(Q)” = f7(P) is in K*.) Therefore 


Fr(P) = fro [m](Q) = gr(Q)" = 6" = b(P, T) (mod K*"). O 


We now consider the special case m = 2, which is by far the easiest to work 
with. Under our assumption that E[2] c E(K), we may take a Weierstrass 
equation in the form 


y? = (x — €;)(x — e2)(x — e3) with e,, e,, e€,€K. 


Thus T, = (e,, 0), T, = (e2, 0), T; = (e3, 0) are the three non-trivial 2-torsion 
points. Letting T = (e, 0) represent any one of these points, we claim that the 
function f; specified in (1.1d) is f(x, y) = x — e. This function certainly has 
the correct divisor, 


div(x — e) = 2(T) — 2(0). 
On the other hand, as one can easily check, 
xo[2] —e =(x? — 2ex — 2e? + 2(e, +e, +e3)e —(e1e, +€1e3 +€2e3))7/(2y), 


so x — e does have both properties needed to be fr. 
Now suppose that we have chosen a pair (b,, b,)€K(S, 2) x K(S, 2), and 
wish to determine whether there is a point P ¢ E(K)/2E(K) satisfying 


b(P, T;) = b, and b(P, T,) = bp. 


There will be such a point if and only if there is a solution (x, y, z,, 2,)é 
K x K x K* x K* to the system of equations 


y? = (x — e,)(x — e2)(x — es), byzj=x—-e, ba23 =X — ep. 


We now substitute the latter two equations into the first, and define a new 
variable z; by y = a,4,2,2 223, which is permissible since b,, b,, z, and z, 
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take non-zero values. This yields the three equations 
b,bo23=x—e3, Dbyzt=x—-e,, byz3=x—e; 
and finally eliminating x gives the pair of equations 
bz? —b,z3=e,—e,, bz? — b,b,z3 =e3 — ey. 


We now have a finite set of such equations, one for each pair (b,, b2), and 
may use whatever techniques are at our disposal (e.g. v-adic, computer 
search, etc.) to determine whether they each do or do not have a solution. 
Notice that if we do find a solution, then the corresponding point in 
E(K)/2E(K) is immediately recoverable from the equalities 

x=b,227 +e, y=b,b.2,2223. 


Finally, we must deal with the fact that we can not use the definition 
b(P, T) = f;(P) if it should happen that P = T. In other words, there are two 
pairs (b,, b,) which do not arise from the above procedure, namely the pairs 
(b(T,, T,), b(T,, T,)) and (b(T}, T,), (Tz, T,)). They may be computed by 
linearity as 
b(T,, T,) = b(T,, T; + T,)b(T,, T,)™* 

= D(T;, T;)b(T,, T,)* 

= (e, — e3)/(e1 — 2); 
and similarly 

b(T,, Tr) = (e2 — e3)/(e2 — 1). 
We summarize this entire procedure in the following proposition. 
Proposition 1.4 (Complete 2-Descent). Let E/K be an elliptic curve given by a 
Weierstrass equation 
y? =(x —e,)(x —e)(x —e3) with e,, e,, e3€K. 


Let S < Mg be a set of places of K including all archimedian places, all places 
dividing 2, and all places at which E has bad reduction. Further let 


K(S, 2) = {be K*/K*? : ord,(b) = 0 (mod 2) for all v¢ S}. 
There is an injective homomorphism 
E(K)/2E(K) > K(S, 2) x K(S, 2) 
defined by 
(x — e€,, xX — e,) if x # €1, eo 
((e, — e3)/(@1 — €2),€1 — @2) fx =e 


(e — €1, (€2 — e3)(e2 —@1)) fx =e, 
(1, 1) if x = o (ie. if P = O). 


P =(x, y)> 
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Let (b,, b,)€K(S, 2) x K(S, 2) be a pair which is not the image of one 
of the three points O, (e,, 0), (e2, 0). Then (b,, bz) is the image of a point 
P = (x, y)€ E(K)/2E(K) if and only if the equations 


biz} — byz5 =e, — &, 
b,z? — b,b,23 =e, —e, 


have a solution (z,, 22, Z3)€K* x K* x K; if such a solution exists, then one 
can take 


P = (x, y) = (bi 27 + €1, by b2212325). 
ProorF. As explained above, this is a special case of (1.1). oO 


Example 1.5. We now use (1.4) to compute E(Q)/2E(Q) for the elliptic curve 
E:y? = x? — 12x? + 20x = x(x — 2)(x — 10). 
This equation has discriminant 
A = 409600 = 2'45?, 


and so has good reduction except at 2 and 5. Reducing the equation modulo 
3, one easily checks that #E(F,) = 4. Since E[2] < E,,,,(Q), and E,,,,(Q) 
injects into E(F3) (VII.3.1), we see that 


Exors(Q) = E[2]. 
Now let S = {2, 5, 00} c Mg; then a complete set of representatives for 
Q(S, 2) = {be Q*/Q*? : ord,(b) = 0 (mod 2) for all p¢ S} 
is given by the set 
fb 1, 2, 5,10}, 


which we will identify with Q(S, 2). Next consider the map 
E(Q)/2E(Q) > Q(S, 2) x Q(S, 2) 
given in (1.4), say with 
e, = 0, e, = 2, and e, = 10. 
There are 64 pairs (b,, b,)¢Q(S, 2) x Q(S, 2); and for each pair we must 


check to see if it comes from an element of E(Q)/2E(Q). For example, using 
(1.4) we can compute the image of E[2] in Q(S, 2) x Q(S, 2): 


O-(1,1) (0,0)>(5,-2) (2,0)>(2,-1) (10,0) > (10, 2). 
It remains to determine, for each other pair (b,, b,), whether the equations 
b,z? = b,z3 = 2 b,z? == b,b,23 = 10 (*) 


have a solution z,, z,, z3¢Q. (For example, if b, < 0 and b, > 0, then («) 
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Table 10.1 


Q,® 

(20, 60)® | (10, 09 
Q, ° 

(1, —3® | (2,0)° Q, o | 

Qs ® | © | ag, -399 R @ 


clearly has no rational solutions, since the first equation will not even have a 
solution in R.) 

Proceeding systematically, we list our results in table 10.1. The entry for 
each pair (b,, b,) consists of either a point of E(Q) mapping to (b,, b,), or 
else a (local) field over which the equations (+) have no solution. (Note 
that if (z,, 22, 23) is a solution to (*), then the corresponding point of E(Q) 
is (b,z? + e,,b,b,z,22;3).) The circled numbers in the table refer to the 
notes which explain each entry. Finally, we note that since the map 
E(Q)/2E(Q) > Q(S, 2) x Q(S, 2) is a homomorphism, it is not necessary to 
check every pair (b,, b,). For example, if both (b,, b,) and (b;,, b,) come from 
E(Q), then so does (b,b/,, b,b’,). Similarly, if (b,, b,) does and (b/, b5) does 
not, then (b, b/,, b,b5,) does not. This observation can substantially reduce the 
amount of computation necessary. 


(1) Ifb, <Oand b, > 0, then b,z7 — b,z3 = 2 has no solutions in R. 

(2) If b, < Oand b, < 0, then b,z7 — b,b,z3 = 10 has no solutions in R. 

(3) The 2-torsion points {O, (0, 0), (2, 0), (10, 0)} map respectively to 
{(1, 1), (5, —2), (2, — 1), (10, 2)}. 

(4) (b,, 62) = (1, —1): By inspection, the equations 

ze+ze2=2 22+4+2%=10 
have the solution (1, 1, 3). This gives the point (1, —3)¢ E(Q). 

(5) Adding (1, —3)¢ E(Q) to the non-trivial two-torsion points corresponds 
to multiplying their (b,,b,)’s. This gives the pairs (5, 2), (2, 1), and 
(10, —2) in Q(S, 2) x Q(S, 2), which correspond to (20, 60), (18, —48), 
and (10/9, — 80/27) in E(Q). 

(6) b; #0 (mod 5) and b, =0 (mod 5): The first equation in (*) implies 
that z, and z, must be 5-adically integral. Then the second equation 
shows that z, = 0 (mod 5), and so from the first equation we obtain 
0 = 2 (mod 5). Therefore (*) has no solutions in Q.. 

(7) The eight pairs in (6) are Q, non-trivial. (Ie. There are no Q, solutions to 
(+).) If we multiply them by the Q-trivial pair (5, 2), we obtain eight more 
Q, non-trivial pairs. 
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(8) (b,, b) = (1, 2): The two equations in (*) are 
z?—2z3=2 and 2? —2z?=10. 


Since 2 is a quadratic non-residue modulo 5, the second equation 
implies that z, =z; =0 (mod 5). But then the second equation gives 
0 = 10 (mod 25). Therefore there are no solutions in Q,. 

(9) Taking the Q,-non-trivial pair (1, 2) from (8) and multiplying by the 
seven Q-trivial pairs already in the table gives seven new Q.-non-trivial 
pairs which fill the remaining entries. 


Conclusion. E(Q) = Z x Z/2Z x Z/2Z. 


§2. Twisting—General Theory 


For this section (and the next) we drop our requirement that K be a number 
field, so K will be an arbitrary (perfect) field. As we saw in section 1 while 
trying to compute the Mordell—Weil group of an elliptic curve E, we were led 
to the problem of the existence or non-existence of a single rational point on 
various other curves. These other curves are certain twists of E, called homo- 
geneous spaces. In this section we will study the general question of twisting 
which, since it is no more difficult, we will develop for curves of arbitrary 
genus. Then in the next section we will look at the homogeneous spaces 
associated to an elliptic curve. 


Definition. Let C/K be a smooth curve (projective, as always.) The isomor- 
phism group of C, denoted Isom(C), is the group of isomorphisms from C to 
itself (defined over K). As usual, Isom,(C) is the subgroup of Isom(C) consist- 
ing of isomorphisms defined over K. (To ease notation, we will write the 
composition of maps multiplicatively; thus «B instead of «0 B.) 


Remark 2.1. The group we are denoting Isom(C) is usually called the auto- 
morphism group of C, and denoted Aut(C). However, if E is an elliptic curve, 
then we have defined Aut(E) to be the group of isomorphisms from E to E 
taking O to O. Thus Aut(E) 4 Isom(E) since, for example, Isom(E) contains 
the translations tp: E > E. We will describe Isom(E) more fully in section 5. 


Definition. A twist of C/K is a smooth curve C’/K which is isomorphic to C 
over K. We generally identify two twists if they are isomorphic over K. The 
set of twists of C/K, modulo K-isomorphism, is denoted Twist(C/K). 

Now let C’/K be a twist of C/K. This means that there is an isomorphism 
¢: C’ > C defined over K. To measure the failure of ¢ to be defined over K, 
we might consider the map 


E:GzxIsom(C)  ¢, = 976. 
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It turns out that € is a 1-cocycle; and the cohomology class of € is uniquely 
determined by the K-isomorphism class of C’. Further, every cohomology 
class comes from some twist of C/K. In this way Twist(C/K) may be identi- 
fied with a certain cohomology set. We now prove these statements. 


Theorem 2.2. Let C/K be a smooth curve. For each twist C’/K of C/K, choose 
an isomorphism ¢: C' > C and define a map €, = ¢°¢ 1 €Isom(C) as above. 
(a) ¢ is a 1-cocycle. (I.e. For all o, t€ Gxjx, 


Sor = (S4)'S-) 


We denote the corresponding cohomology class in H* (Gx), Isom(C)) by {€}. 
(b) The cohomology class {€} is determined by the K-isomorphism class of C’, 
independent of the choice of ¢. We thus obtain a natural map 


Twist(C/K) > H*(Gg)x, Isom(C)). 


(c) The map in (b) is a bijection. In other words, the twists of C/K (up to 
K-isomorphism) are in one-to-one correspondence with the elements of the 
cohomology set H'(Gx)x, Isom(C)). 


Remark 2.3. We emphasize that the group Isom(C) is often non-abelian (this 
is always the case for elliptic curves). Hence H*(Gg,x, Isom(C)) is in general 
only a pointed set, not a group. (See B §3.) However, if Isom(C) has a Gg)x- 
invariant abelian subgroup A, then H'(Ggx, A) is a group, and its image in 
H*(Gxx, Isom(C)) will give a natural group structure to some subset of 
Twist(C). In the next section, we will apply this observation when C is an 
elliptic curve, taking for A the group of translations. 


ProoF. (a) €,, = $7 | = (¢°d “(6° *) = (€.)°E.- 

(b) Let C’/K be another twist of C/K which is K-isomorphic to C’. Choose 
a K-isomorphism w:C’-—+C. We must show that the cocycles ¢7¢7! 
and wy’ are cohomologous. By assumption, there is a K-isomorphism 
6: C” + C’.. Consider the element « = ¢0~~' € Isom(C). We compute 


a7(y?y*) = (OW) (Wry*) = gary 
= $7 Op" = (b' 9 *)(GOW*) = (6° “Ya. 


This proves that ¢7¢7' and w7y~' are cohomologous. 
(c) Suppose that C’/K and C"/K are twists of C/K which give the same 
cohomology class in H'(Gx/x, Isom(C)). This means that if we choose K- 
isomorphisms ¢:C’->C and w:C”—C, then there is a map aeIsom(C) 
such that 

awe) =(¢°d")a for all cE Gg. 


(Ie. The cocycles for ¢ and w are cohomologous.) We now consider the map 
6:C" —+C’' defined by 6 = ¢ 1a. It is a K-isomorphism, and we wish to 
show that it is actually defined over K. For any o € Gg/x, we compute 
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0° = (9°) * (a W") = (G7) (9° tap) = GV op = 8. 
Therefore C” and C’ are K-isomorphic, and so give the same element of 
Twist(C/K). This proves that the map Twist(C/K) > H'(Gg,x, Isom(C)) is 
injective. 

To prove surjectivity, we start with a l-cocycle €: Gg)x > Isom(C), and 
construct a curve C’/K and an isomorphism ¢: C’ > C such that ¢, = go". 
To do this we consider a field, denoted K (C),, which is isomorphic (as a field 
over K) to K(C), say by an isomorphism Z : K(C) > K(C);. The difference 
between K(C) and K (C), lies in the action of Galois; on K(C), it is twisted by 
€. In other words, for all f ¢ K(C) and ce Gijx; 


Z(f)” = ZFC). 


(Here we are thinking of f as giving a map f:C > P? (cf. II.2.2), and f7é, 
is composition of maps. Equivalently, the map €,:C > C induces a map 
é*: K(C) > K(C), and f€, is just another notation for €*({”).) 

Having given the action of Gg,x on K (C)z, we may consider the fixed field 
Fe K(Q); consisting of all elements of K(C), fixed by Ggx. We now show in 
several steps that this field is the function field of the desired twist of C. 


(i) FAK=K = . 
Suppose that Z(f)eF a K. In particular, since Z induces the identity on K, 


f ¢K. Now the fact that Z(f)¢F combined with the fact that f is a constant 
function (and so unaffected by isomorphisms of C) implies 

Z(f) = ZY = ZFS) = ZF). 
Since this holds for all o € Gg,x, it follows that fe K. 
(ii) KF = K(C); 2 
This is an immediate consequence of (II.5.8.1) applied to the K-vector space 
K(C);. 

It follows from (ii) that F has transcendence degree 1 over K; so using (i) 
and (11.2.5), there exists a smooth curve C’/K such that ¥ = K(C’). Further, 
(ii) implies that K(C) = KF = = K(Q); = ~ K(C), so C’ and C are isomorphic 
over K (1I.2.4.1). In other words, C’ is a twist of C, and the final step in 
proving surjectivity is to show that it gives the cohomology class {¢}. 

(iii) Let @:C’—C be a K-isomorphism corresponding (I1.2.4b) to the 
isomorphism 


Z:K(C)> K(C; = KF = K(C’). 


(Le. 6* = Z.) Then for all o€ Gx, €, = 9°9. 
Having identified ¢* with Z, the relation Z(f)’ = Z(f°¢,) used in defining 
the map Z can be rewritten as (f¢)° = f°€,¢. In other words, for all fe K(C), 


S79? = (f9)" = f°Sad. 


But this implies that ¢° = €,¢, which is exactly the desired result. O 
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Example 2.4. Let E/K be an elliptic curve, K (\/d) a quadratic extension of K, 
and x: Ggjx > {+1} the quadratic character associated with K (/d)/K. (Le. 


x(o) = Ja?) Jd. Note that char(K) # 2.) Then we can define a cocycle 
€:Gxx7Isom(E) ¢, =[x(9)]. 


Let C/K be the corresponding twist of E/K. We now find an equation for 
C/K. 

_ Choosing a Weierstrass equation for E/K of the form y” = f(x), we write 
K(E) = K(x, y) and K(C) = K(x, y)z. Since [—1](x, y) = (x, —y), the action 
of o € Gxjx on K(x, y), may be summarized by 


Ja’ = x(0)./d, X7=X, y= x(a)y. 


Thus the functions x’ = x and y’ = ylJd in K(x, y)z are fixed by Gx/x, hence 
are in K(C). They satisfy the equation 


dy’? = f(x’), 
which is the equation of an elliptic curve defined over K. Further, the identi- 
fication (x’, y') > (x, y',/d) shows that this curve is isomorphic to E over 
K (/d ). It is now an easy matter to check that the associated cocycle is €, and 
so verify that we have found an equation for C/K. C is called the twist of E by 


the quadratic character y. We will return to this example in more detail in 
section 5. 


§3. Homogeneous Spaces 


Recall from (VIII §2) that associated to an elliptic curve E/K, we have a 
Kummer sequence 


0 > E(K)/mE(K) > H'(Ggx, E[m]) > H'(Gx)x, E)[m] > 0. 


The proof of the weak Mordell—Weil theorem hinged on the essential fact 
that the image of the first term inside the second consists of elements which 
are unramified outside a certain finite set of primes. In this section we analyze 
the third term in this sequence by associating to each element of H'(Gg)x, E) 
a certain twist of E called a homogeneous space. Rather than starting with the 
cohomology, we will begin by defining homogeneous spaces and describing 
their basic properties. After this will come the cohomological interpretation, 
which says that homogeneous spaces are those twists which correspond to 
cocycles with values in the group of translations. 


Definition. Let E/K be an elliptic curve. A (principal) homogeneous space for 
E/K is a smooth curve C/K together with a simply transitive algebraic group 
action of E on C defined over K. [I.e. A homogeneous space for E/K really 
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consists of a pair (C, y), where C/K is a smooth curve and 
wi CxEoC 
is a morphism defined over K with the following three properties: 


(i) u(p, O) = p for all peC. 
(ii) u(u(p, P), Q)= u(p,P + Q) — forall peC and P, QeE. 
(iii) For all p, géEC there is a unique Pe E satisfying u(p, P) = q.] 


We will often denote y(p, P) with the more intuitive notation p + P. Then 
property (ii) is just the associative law, (p+ P)+Q=p+(P+Q). Of 
course, one has to determine from context whether + means addition on E or 
the action of E on C. 

In view of the simple transitivity of the action, we may also define a 
subtraction map on C by the rule 


viCxCrE 
v(q, p) = (the unique Pe E such that p(p, P) = q). 


As we will see below, v is also a morphism and defined over K. (This also 
follows from elementary intersection theory on C x C. Note that it is not 
even clear a priori that v is a rational map.) As with py, we will often write 
v(q, p) as q — p. 

One immediately verifies that addition and subtraction on a homogeneous 
space have the right properties. 


Lemma 3.1. Let C/K be a homogeneous space for E/K. Then for all p, qéC 
and P, Qe E: 


(a) H(p,O) =p and v(p, p) = 0. 

(b) H(p, vq, P))=q and v(u(p, P), p) = P. 
(c) v(u(q, Q), u(p, P)) = (vq, p), Q — P). 
[e. Using the alternative notation, 

(a) p+O=p and p—p=0. 

(b) pP+(q—p)=q and (p+ P)—p=P. 
(c) (q+Q)—(p+ P)=(q-p)+Q-P. 


In other words, using the + and — signs provides the right intuition.] 
Proor. (a) The equality u(p, O) = p is part of the definition of homogeneous 
space. Now using this and the definition of v, 


L(p, O) = p = up, v(p, p)); 
so the simple transitivity implies that v(p, p) = O. 
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(b) The relation y(p, v(q, p)) = q is the definition of v. Then, from 


Lp, v(u(p, P), p)) = up, P), 


we conclude that v(u(p, P), p) = P. 
(c) We start with 


q = Up, v(q, P)). 
Adding on Q gives 
u(q, Q) = up, v(q, p) + Q) 
= u(p, P + v(q, p) + Q — P) 
= u(u(p, P), v(q, p) + Q — P). 
From the definition of v, this is equivalent to 


v(u(q, Q), u(p, P)) = v(q, p) + Q — P. | 


Next we show that a homogeneous space C/K for E/K is always a twist of 
E/K, so we may apply the results of the previous section. We also charac- 
terize the addition and subtraction on C in terms of a given K-isomorphism 
EC; this will enable us to prove that the subtraction map is a K- 
morphism. 


Proposition 3.2. Let E/K be an elliptic curve, and let C/K be a homogeneous 
space for E/K. Fix a point pyéC, and define a map 
O@:E>C O(P) = po + P. 


(a) 6 is an isomorphism defined over K(po). In particular, C/K is a twist of 
E/K. 
(b) For all peC and Pe E, 


p+P=0(0"'(p)+ P). 


(Note that the first + is the action of E on C, while the second + is addition on 
E.) 
(c) For all p, qEC, 


q— p= *(q) — 0"*(p). 
(d) The subtraction map 
v:CxCoE v(q, pP)=q—P 
is a morphism defined over K. 
Proor. (a) The action of E on C is defined over K. Hence for any o € Ggjx 
satisfying p§ = Po, we have 
O(P)’ = (po + P)? = pp + P? = po + P* = O(P’). 
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This shows that 0 is defined over K(po). Further, the simple transitivity of the 
action implies that 6 has degree 1; hence by (II.2.4.1), @ is an isomorphism. 


(b) 0(0-1(p) + P) = po + 9'(p) + P=p t+ P. 


(We are using the fact that 6~'(p) is the unique point of E which gives p when 
added to pg.) 


(c) 07*(q) — 9*(p) = (Po + 9-7) — (Po + 9 *(P)) = 4 — P. 


(d) The fact that v is a morphism follows from (c). (Note that subtraction on 
E is a morphism (III.3.6).) To check that v is defined over K, we let o€ Ggjx 
and use (c) to compute 


(q — p)’ = (6-*(q) — 8 *(p))” 
= 6"(q)" — 0 (py 
= [Po + 9 (QI — [po + 9 *()]” 
= 4" — p’. 
(The second and third equalities follow from the facts that subtraction on E is 


defined over K and the action of E on C is defined over K.) This completes 
the proof that v is defined over K. | 


Definition. Two homogeneous spaces C/K and C’/K for E/K are equivalent if 
there is an isomorphism 9: C > C’ defined over K which is compatible with 
the action of E on C and C’. [In other words, for all pe C and Pe E, 


O(p + P) = O(p) + P.] 


The equivalence class containing EF, acting on itself by translation, is called 
the trivial class. The collection of equivalence classes of homogeneous spaces 
for E/K is called the Weil-Chatelet group for E/K, and is denoted WC(E/K). 
(We will see below why it is a group.) 

We now characterize the trivial homogeneous spaces. 


Proposition 3.3. Let C/K be a homogeneous space for E/K. Then C/K is in the 
trivial class if and only if C(K) is not empty. 


ProorF. If C/K is in the trivial class, then there is a K-isomorphism 6: E > C, 
and so 6(O)e C(K). 
Conversely, suppose that py € C(K). Then from (3.2a), the map 
06:E>C O&P)=pot+P 


is an isomorphism defined over K(po) = K. The necessary compatibility con- 
dition on @ is 


Po + (P + Q) =(po + P) + Q, 


which is part of the definition of homogeneous space. im 
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Remark 3.4. Notice that (3.3) says that the problem of checking the triviality 
of a homogeneous space is exactly equivalent to answering the fundamental 
Diophantine question of whether a given curve has any rational points. Thus 
our next step, namely the identification of WC(E/K) with a certain co- 
homology group, may be regarded as the development of a tool to help us 
study this difficult Diophantine problem. 


Lemma 3.5. Let 9: C/K > C’/K be an equivalence of homogeneous spaces for 
E/K. Then 


0(q)— O(p)=q-—p _ forallp,qec. 


Proor. This is just a matter of grouping points so that the additions and 
subtractions are defined. 


8(q) — O(p) = (L0(4) + (p — 4)] — O(p)) + (4 — p) 
= (6[q + (p — g)] — %(p)) + (Q-p)=4-P. Oo 


Theorem 3.6. Let E/K be an elliptic curve. There is a natural bijection 
WC(E/K) > H*(Gxx, E) 
defined as follows: 
Let C/K be a homogeneous space, and choose any point py¢C. Then 
{C/K} > {o > po — Po}- 


(Here the brackets indicate an equivalence class.) 


Remark 3.6.1. Since H'(Gx,x, E) is a group, (3.6) defines a group structure 
on the set WC(E/K). One can also give the group law on WC(E/K) geometri- 
cally, without using cohomology (exer. 10.2), which is in fact the way it was 
originally defined ([We 5]). 


Proor. First we check that the map is well-defined. It is immediate that 
o > Po — Po is a cocycle: 
Po — Po = (PO — Po) + (Po — Po) = (PO — Po)’ + (Po — Po) 
Now suppose that C’/K is another homogeneous space which is equivalent 
to C/K. Let 0: C >C’ be a K-isomorphism giving the equivalence, and let 
Poe C’. Then using (3.5), we compute 
Po — Po = 9(P6) — (Po) 
= (Po — Po) + [(O(Po) — Po)” — (O(Po) — Po) I. 


Hence the cocycles p} — po and py — po differ by the coboundary generated 
by 0(po) — po E, so they give the same cohomology class in H'(Gx,x, E). 
Next we check injectivity. Suppose that the cocycles p§ — po and py — Po 
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corresponding to C/K and C’/K are cohomologous. Thus there is a point 
P,¢€£ such that 


Po — Po = (Po — Po) + (Po — Po) —for all oe Ggjx. 
Consider the map 
6:C+C’ — A(_p) = Po + (P — Po) + Po. 


It is clear that 9 is an isomorphism (over K), and that it is compatible with the 
action of E. To see that 6 is defined over K, we check 


A(P)" = Pe + (p" — Po) + PS 
= Po + (P* — Po) + Po 
+ (po — Po) + Po — Po — (Po — Po) J 
= 0(p’). 
This proves that C and C’ are equivalent. 
Finally we prove surjectivity. Thus let ¢: Gg. — E be a 1-cocycle repre- 
senting an element in H'(Gg/x, E). If we embed E in Isom(E) by sending Pe E 
to the translation tpeIsom(E), then we may look at the image of ¢ in 


H'*(Ggjx, Isom(E)). From (2.2), there is a curve C/K and a K-isomorphism 
¢@:C — E such that for all o€ Ggix, 


¢°o¢ ! = translation by —€,. 


(The reason we use — é instead of € will become apparent below.) 
Define a map 
wiCxE>C  wlp, P)=¢"*(G(p) + P). 
We now show that this gives C/K the structure of a homogeneous space over 
E/K, and that the cohomology class associated to C/K is {€}. 

First, to see that y is simply transitive, let p, q¢C. Then by definition, 
u(p, P) = q if and only if 6~'(¢(p) + P) = q; and so the only choice for P is 
P = $(q) — (p). Second, to check that p is defined over K, we let c€ Gxjx 
and compute 

u(p, P)” = (6 *)"(9"(p’) + P’) 
=o *([o(p?) + €.) + P7] — €,) 
= wp’, P’). 
Third, to compute the cohomology class associated to C/K, we may choose 


any poéC and look at the cocycle o > pj — po. In particular, if we take 
Po = ¢ (0), then 


Po — Po = (¢’) *(0) — 9 *(0) 
=$"(0+2,)—¢*(0) 
= C7; 
This completes the proof of (3.6). O 
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Example 3.7. Let E/K be an elliptic curve and K(\/d)/K a quadratic exten- 
sion (so char(K) # 2.) Suppose that Te E(K) is a non-trivial point of order 2. 
Then the homomorphism 


o: Gajx > E 
= if Ja = Jd 
T if Jd o= Jd 
is a 1-cocycle. We will now construct the homogeneous space corresponding 
to the element {£} € H'(Gx)x, E). 
Since Te E(K), we may choose a Weierstrass equation for E/K of the form 
E:y?=x>?+ax?+bx — with T= (0,0). 
Then the translation-by-T map has the simple form 
t(P) = (x, y) + (0, 0) = (b/x, —by/x?). 


Thus if o € Gg)x represents the non-trivial automorphism of K(/d )/K, then 
the action of o on the twisted field K(E), may be summarized by 


Jd? =—- fd, x =d/x, yy? = —by/x?. 


We must find the subfield of K (Jd )(x, y)z fixed by o. 


The functions 
Jdx/y and \/d(x — b/x) 


are easily seen to be invariant. Anticipating the form of our final answer, we 
will consider instead the functions 


z=./dx/y and w= Jd(x — b/x)(x/y)?. 
To find the relation that they satisfy, we compute 
d(w/z?)? = (x — b/x)? = (x + b/x)? — 4b 
= ((y/x)? — a)? — 4b = (d/z? — a)? — 4b. 
Thus (z, w) are affine coordinates for the hyperelliptic curve 
C: dw? = d? — 2adz* + (a? — 4b)z*. 


(For general facts about hyperelliptic curves, see (I1.2.5.1) and (exer. 2.14).) 
We claim that C/K is the twist of E/K corresponding to the cocycle ¢. 

First, recall from (II.2.5.1) that C will be a smooth affine curve provided 
that the polynomial d? — 2adz? + (a? — 4b)z* has four distinct roots (in K). 
Further, (II.2.5.2) says that if this quartic polynomial has distinct roots, then 
there is a smooth curve in P? which has an affine piece isomorphic to C; and 
further, this smooth curve will consist of C together with the two points 
[0, 0, +./a? — 4b, 1] out at infinity. (N.B. The projective closure of C in P? 
is always singular.) Now it is easy to check that the quartic has distinct roots 
if and only if b(a? — 4b) 4 0. On the other hand, since E is non-singular, we 
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know that A(E) = 16b?(a? — 4b) 40. Therefore C is an affine piece of a 
smooth curve in P?; and to ease notation, we will also use C to denote this 
smooth curve C c P*. 

Next, we have the map (defined over K (/d )) 


@:E>C 

(x, y) > (2, w) = (/dx/y, /d(x — b/x)(x/y)). 
Note that since 

x/y = xy/y” = y/(x? + ax + b), 
¢@ may also be written as 
vdy fax? -d) 
Os (ey. A), 

This allows us to evaluate 

90,0) =(0,—./d) and 9(0) = (0, /d). 

To show that ¢ is an isomorphism, we compute its inverse: 
Jdw/z? = x — b/x = 2x — (x + b/x) 
= 2x — ((y/x)? — a) = 2x — (d/z? — a). 
This gives x in terms of z and w, and then y = Jax/z. Thus 
@':C7E 


(2, w-( 


Since C and E are smooth, ¢ is an isomorphism (II.2.4.1). 
Finally, to compute the element of H'(Gg,x, E) corresponding to C/K, we 
may choose any point pe C and compute the cocycle 


op’ —p=¢ "(p)—¢ (p). 
For instance, we may take p = (0, Jae C. Clearly p’ — p = Oif Ja oe a 
On the other hand, if Jd en /d, then from above 


Pp — p=", —/d)— $0, /d) = 0, 0). 
Therefore p?—p=€, for all c€Ggx, so {C/K}¢WC(E/K) maps to 
{f} € H'(Gxx, E). [Of course, it was just “luck” that we obtained an equality 


p° — p= €,. In general, the difference of these two cocycles would be some 
coboundary. ] 


Jdw — az? +d dw — ax/dz? + d./d 
22? ' 223 : 


We conclude this section by showing that if C/K is a homogeneous space 
for E/K, then Pic®(C) may be canonically identified with E. This means that 
E is the Jacobian of C/K. Since every curve C/K of genus 1 is a homogeneous 
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space for some elliptic curve E/K (exer. 10.3), this shows that the abstract 
group Pic°(C) can always be represented as the group of points on an elliptic 
curve. The analogous result for curves of higher genus, in which Pic®°(C) is 
represented by an abelian variety of dimension equal to the genus of C, is 
considerably harder to prove. 


Theorem 3.8. Let C/K be a homogeneous space for an elliptic curve E/K. 
Choose a point py€C, and consider the summation map 


sum : Div°(C) > E 
Xn(p;) > X[n,] (Pi — Po)- 
(a) There is an exact sequence 
13 K* + K(C* 3S Div(C E50. 


(b) The summation map is independent of the choice of the point po. 
(c) The summation map commutes with the natural action of Gg,x on Div°(C) 
and E. Hence it gives an isomorphism of Gx)x-modules (also denoted sum) 


sum: Pic°(C) & E. 
In particular. 


Pic®(C) = E(K). 


ProoF. (a) Using (II.3.4), we see that we must check that sum is a surjective 
homomorphism and has as kernel the set of principal divisors. It is clear that 
sum is a homomorphism. Let Pe E and D = (pp) + P) — (po) € Div?(C). Then 
sum(D) = ((Po + P) — Po) — (Po — Po) = P; 
SO sum is surjective. 
Next let D = n,(p)€Div(C) satisfy sum(D)=O. Then the divisor 
in,(p; — Po) € Div(E) sums to O, so (III.3.5) it is principal, say 
¥in(p;— Po) = div(f) for some fe K(E)*. 
We have an isomorphism 
d:C>+E = $(p) = Pp — Pos 
and so by (II.3.6b), 
div(g*f) = $* div(f) = ¥'n:9*((p; — Po)) = Yini(p) = D. 
Therefore D is principal. 
Finally, if D = div(g) is principal, then 
dnp; — Po) = (9 *)* div(g) = div((d*)* 9); 


and so sum(D) = O. This shows that the kernel of sum is the set of principal 
divisors. 
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(b) Let sum’: Div°(C) > E be the summation map defined using the base- 
point py¢C. Then 


sum(D) — sum'(D) = ¥'[n,] ((p; — Po) — (Pi — Po)) 
> y [n;](Po — Po) 
= 0, 


since Zn; = deg(D) = 0. 
(c) Let c€ Gg. Then 


sum(D)’ = )'[n;](p7 — po) = sum(D*), 


since from (b) we know that the sum is the same if we use p§ as our basepoint 
instead of po. Now from (a) and the definition of Pic°(C), we have a group 
isomorphism sum : Pic°(C) > E, and the fact that sum commutes with Gg,x 
says precisely that it is an isomorphism of Gg,x-modules. Finally, the last 
statement in (3.8c) follows by taking Gg,,-invariants. oO 


§4. The Selmer and Shafarevich—Tate Groups 


We return now to the problem of calculating the Mordell—Weil group of an 
elliptic curve E/K defined over a number field K. As we have seen (VIII.3.2 
and exer. 8.18), it is enough to find generators for the finite group E(K)/mE(K) 
for any one integer m > 2. 

Suppose that we are given another elliptic curve E’/K and a non-zero 
isogeny ¢:E—E’ defined over K. (For example, we could always take 
E' = E and ¢ = [m].) Then there is an exact sequence of Gg/x-modules, 


0 E[¢] > E% E' 30, 


where E[¢] denotes the kernel of ¢. Taking Galois cohomology yields the 
long exact sequence 
0> E(K)[¢] > EK) % E(K) 
6 
ad (Gg, E[¢])> A(Gg x, E)-> H* (Gg; E)>; 
and from this we form the fundamental short exact sequence 
0 + E’(K)/@(E(K)) > H" (Gx, E[¢]) > H(Ggx, EG] 70. (*) 


Note that (3.6) says that the last term in (+) may be identified with the ¢- 
torsion in the Weil—Chatelet group WC(E/K). 

The next step is to replace the second and third terms of (*) with certain 
finite groups. This is accomplished by local considerations. For each ve Mx, 
we fix an extension of v to K, which serves to fix an embedding K c K, 
and a decomposition group G, < Ggjx. Now G, acts on E(K,) and E’(K,); 
and so repeating the above argument yields exact sequences 
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0 E'(K,)/@(E(K,)) > H'(G,, El[¢]) > H4(G,, E)[¢] > 0. (*,) 


Now the natural inclusions G, < Ggx and E(K) < E(K,) give restriction 
maps on cohomology, and so we end up with the following commutative 
diagram (where we have replaced each H1(G, E) by the corresponding Weil- 
ChAtelet group): 

é 


0> E(K)/$(E(K)) > H*(Ggx, E[¢]) > WC(E/K)[¢] +0 
i | (**) 
0- I] E'(K,)/$(E(K,)) > nan H*(G,, E[¢]) > I] WC(E/K,)[¢] > 0. 
Our ultimate goal is to compute the image of E’(K)/d(E(K)) in 
H'(Ggx, E[¢]); or equivalently, the kernel of the map 


H"(Ggx, E(¢]) > WC(E/K)[¢]. 


Now using (3.3), this last problem is the same as determining whether certain 
homogeneous spaces possess a K-rational point, which may be a very difficult 
question. On the other hand, by the same reasoning, the determination of 
each local kernel 


ker{H1(G,, E[¢]) > WC(E/K,)[¢]} 


is straightforward; since the question of whether a curve has a point over a 
complete local field K, reduces (by Hensel’s lemma) to checking whether it 
has a point in some finite ring R,/.Z (for some easily computable integer e), 
and so requires only a finite amount of computation. This prompts the 
following definitions. 


Definition. Let 6: E/K — E'/K be an isogeny as above. The ¢-Selmer group of 
E/K is the subgroup of H'(Gg)x, E[¢]) defined by 


S(E/K) = ker \# \(Ggx EL¢) > IT] weUElK yh. 
veM, 
The Shafarevich—Tate group of E/K is the subgroup of WC(E/K) defined by 


W(E/K) = ker WC(E/K) Il weEIK. 


Remark 4.1.1. Since the exact sequences (*,) given above depend on choosing 
an extension of each ve M, to K, it may appear that the groups S(E/K) and 
IN(E/K) will depend on that choice. However, in order to determine whether 
an element of WC(E/K) becomes trivial in WC(E/K,), one must check 
whether the associated homogeneous space (which is a curve defined over K) 
has any points defined over K,. This last question is clearly independent of 
any choice of extension of v to K, since v itself determines the embedding of K 
in K,. Therefore S®(E/K) and II(E/K) depend only on E and K. (Alterna- 
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tively, one can check directly on cocycles that the cohomological definition of 
S® and III does not depend on the extension of the v’s to K. We will leave this 
for the reader. See also (exer. B.6).) 


Remark 4.1.2. A good way to think of II(E/K) is as the group of homo- 
geneous spaces for E/K which possess a K,-rational point for every ve Mx. 
Le. The homogeneous spaces which are everywhere locally trivial. 


Theorem 4.2. Let ¢: E/K — E'/K be an isogeny of elliptic curves defined over 
K. 
(a) There is an exact sequence 


0- E'(K)/¢(E(K)) > SO(E/K) — W(E/K)[¢] > 0. 
(b) The Selmer group S®(E/K) is finite. 


Proor. (a) This is immediate from the diagram (**) and the definition of the 
Selmer and Shafarevich—Tate groups. 

(b) Notice that if E = E’ and ¢ = [m], then the finiteness of S“(E/K) implies 
the weak Mordell—Weil theorem. On the other hand, in order to prove that 
S®\(E/K) is finite for a general map ¢, we must essentially reprove the weak 
Mordell—Weil theorem. The argument goes as follows. 

Let €€S(E/K), and let veM, be a finite place of K not dividing 
m = deg(¢) such that E’/K has good reduction at v. We claim that € is 
unramified at v. (See (VIII §2) for the definition of an unramified cocycle.) 

To check this, let I, < G, be the inertia group for v. Since €€ S®(E/K), we 
know that € is trivial in WC(E/K,). Hence from the sequence (*,) given 
above, there is a point Pe E(K,) such that 


={P°—P} forall oeG,. 
(Note that P’ — Pe E[¢]).) In particular, this holds for all o in the inertia 
group. But if ce/,, then looking at the “reduction modulo v” map E > E, 
yields 
po — Pp = Pe — P= 60, 
since by definition inertia acts trivially on E,. Thus P’ — P is in the kernel of 


reduction modulo v. But P’ — P is also in E[¢], which is contained in E[m]; 
and from (VIII.1.4), E(K)[m] injects in E,,. Therefore P’ = P, and so 


= {P?— P}=0 for all cel,. 


This proves that every element in S®(E/K) is unramified at all but a fixed, 
finite set of places ve Mx. The finiteness of S®(E/K) now follows from the 
next lemma. O 


Lemma 4.3. Let M be a finite (abelian) Gg)x-module, S < Mx a finite set of 
places, and define 


§4. The Selmer and Shafarevich-Tate Groups 299 


H'(Ggx, M; S) = {€€H*(Ggx, M): € is unramified outside S}. 
Then H'(Gxx, M; S) is finite. 


Proor. Since M is finite and Gg), acts continuously on M, there is a sub- 
group of finite index in Gg,x which fixes every element of M. Using the 
inflation-restriction sequence (B.2.4), we see that it is alright to replace K by a 
finite extension, so we may assume that the action of Gg,x on M is trivial. 
Then 


H" (Ggjx, M; S) = Hom(Ggjx, M; S). 
Now let m be the exponent of M (i.e. mx = 0 for all x e M); and let L/K be 


the maximal abelian extension of K having exponent m which is unramified 
outside of S. Since M has exponent m, the natural map 


Hom(G,/x, M) > Hom(Gg/x, M; S) 


is clearly an isomorphism. But from (VIII.1.6), L/K is a finite extension. 
Therefore Hom(Gg)x, M; S) is finite. im 


We record as a corollary the main fact about the Selmer group derived 
during the course of proving (4.2). (Note that by (VII.7.2), isogenous elliptic 
curves have the same set of primes of bad reduction.) 


Corollary 4.4, Let ¢: E/K > E'/K be as in (4.2), and let S < Mx be a finite set 
of places containing 


Mg v {v:E has bad reduction at v} u {v: v divides deg(g)}. 
Then 
SE/K) < H'(Ggjx, E[41; S). 


Remark 4.5. At least in theory, and often in practice, the Selmer group is 
effectively computable. The point is that the finite group H'(Gg)x, E[¢]; S) 
may be effectively computed. Then to determine whether a given element 
€€H'(Gz x, E[¢]; S) is in S(E/K), one takes the corresponding homoge- 
neous space {C/K }e¢ WC(E/K) and checks whether C(K,) # @ for each of 
the finitely many ve S. This last problem may be reduced, by Hensel’s lemma, 
to a finite amount of computation. 


Example 4.5.1. We reformulate the example of section | in these terms 
(leaving some details to the reader). Thus let E/K be an elliptic curve with 
E[m] < E(K), let S c Mg be the usual set of places, and let K(S, m) be as in 
(1.1c). Choosing a basis for E[m], we may identify E[m] with p,, x pw, (as 
Ggjx-modules); and then 


H'(Ggx, E[¢]; S) = K(S, m) x K(S, m). 
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(le. Use the isomorphism K*/K*"— H'(Gxx,p,).) Restricting atten- 
tion now to the case m= 2, the homogeneous space associated to a pair 
(b,, b)€ K(S, m) x K(S, m) is the curve in P? given by the equations (cf. (1.4)) 


fale 2 2 2 a 2 
C:byzq — b223 = (e2 — €1)20 by 21 — by b223 = (e3 — €,)zZ0. 


For any given pair (b,, b,), it is now an easy matter to check if C(K,) # @ for 
each veS, and so to calculate S®(E/K). For example, the conclusion of (1.5) 
may be summarized by stating that for the curve 


E: y? = x? — 12x? — 20x, 
S°(E/Q) ~(Z/22)? and WI(E/Q)[2] = 0. 


(The conclusion about III follows from the exact sequence (4.2a), since in (1.5) 
we actually showed that every element of S'?(E/Q) is the image of a point of 
E(Q).) 


Suppose now that we have computed the Selmer group S®(E/K) for some 
isogeny ¢. Thus each £ € S®(E/K) corresponds to a homogeneous space C,/K 
which has a point defined over every local field K,. Suppose further that we 
are lucky and can show that III(E/K)[¢] = 0. This means that on each of the 
curves C; we are able to find a K-rational point. It follows from (4.2a) that 
E'(K)/¢(E(K)) = S®(E/K), and all that remains is to explain how to find 
generators for E’(K)/¢(E(K)) in terms of the points we found on each C,(K). 
This is accomplished by the following proposition. 


Proposition 4.6. Let 6: E/K — E'/K be an isogeny, let € be a cocycle represent- 
ing an element of H'(Gx/x, E[¢]), and let C/K be a homogeneous space repre- 
senting the image of € in WC(E/K). Choose an isomorphism 6: C — E (defined 
over K) satisfying 


6° 067! = (translation by €,) _—_— for all ce Gg. 


(a) The map $00:C-—-E’ is defined over K. 

(b) If PeC(K), and so {C/K} is trivial in WC(E/K), then the point 
¢00(P)EE(K) maps to € under the connecting homomorphism 6: E'(K) > 
H *(Giix: E[@)). 


Proor. (a) Let o€Ggjx and PeC. Then, since ¢ is defined over K and 


€,€E[¢], we have 
(9 0 O(P))” = ($0 8°)(P’) = g(O(P’) + ¢,) = 90 O(P”). 


Therefore ¢ 0 @ is defined over K. 
(b) This is just a matter of unwinding definitions. Thus 


0(¢ 0 O(P)), = O(P)” — O(P) = O(P*) + ¢, — O(P) = Co. oO 


Remark 4.7. We have been working with arbitrary isogenies ¢: E — E’. But in 
order to compute the Mordell—Weil group of E’, we need generators for 
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E'(K)/mE'(K) for some integer m; just knowing E'(K)/¢(E(K)) is not enough. 
The solution to this dilemma is to consider also the dual isogeny ¢: E’ > E. 
Using the procedure outlined above, one computes both Selmer groups 
S®(E/K) and S®(E'/K); and then, with a little bit of luck, one finds 
generators for the two groups E’(K)/@(E(K)) and E(K)/4(E(K)). Having 
done this, it is then a simple matter to obtain generators for E(K)/mE(K) 
(where m = deg ¢) by using the following elementary exact sequence (note 


go =[m]): 


9» F(K)Id] _ E(K) ¢ E(K) _E(K) 


~ @(E(K)[m])  @(E(K))mE(K) g(E(K)) 


Example 4.8. Two-isogenies. We are going to illustrate the above theory by 
completely analyzing the case of isogenies of degree 2. Let 6: E— E’ have 
degree 2. Then the kernel E[¢] = {0, T} is defined over K, so T€ E(K). Thus 
E has a K-rational 2-torsion point, so by moving that point to (0, 0), we can 
find a Weierstrass equation for E/K of the form 


E:y* = x? + ax? + bx. 
Now let S c Mx be the usual set of places. Identifying E[¢] with p, (as 
Gx)x-modules), we see that K*/K*? ~ H'(Gg/x, E[¢]); and so 
H*(Ggx, E[¢]; S) = K(S, 2) 


(using the notation of (1.1c) and (4.3).) More precisely, if de K(S, 2), then 
tracing through the above identifications shows that the corresponding 


cocycle is 
{0 if /d = /d 
T if fd =—-J4. 


The homogeneous space C,/K associated to this cocycle was computed in 
(3.7); it is given by the equation 


C,: dw? = d? — 2adz* + (a? — 4b)z*. 


Now in order to compute the Selmer group S‘(E/K), we need merely check if 
C,(K,) # @ for each of the finitely many de K(S, 2) and veS. 
Next, E’/K has a Weierstrass equation of the form 


E': Y? = X3 — 2aX? + (a? — 4b)X, 
where the isogeny ¢: E — E’ is given by the formula (III.4.5) 
G(x, y) = (y?/x?, y(b — x?)/x?). 


In (3.7) we gave an isomorphism 0: C, > E (defined over K (Jd )). Comput- 
ing the composition ¢ 0 6 yields the map 


$00:C,>E' $0 A(z, w) = (d/z?, dw/z?) 


described in (4.6). Finally, just as was done in (1.4) (see also exer. 10.1), one 
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can compute the connecting homorphism 

6: E(K) > H*(Ggx, E[¢]) = K*/K*? 

6(0) = 1, 6(0,0) =a? —4b,and 6(X,Y)=X if X 40,0. 
We summarize the preceding discussion in the following proposition. 
Proposition 4.9. (Descent via Two-Isogeny.) Let E/K and E'/K be elliptic 
curves given by equations 
E:y?=x>+ax*+bx and E': Y* = X? — 2aX? + (a? — 4b)X; 
and let 
@:E>E = g(x, y) =(y"/x’, y(b — x?)/x’) 
be the isogeny of degree 2 with kernel E[¢] = {0, (0, 0)}. Let 
S = Mf vu {primes dividing 2b(a* — 4b)}. 
There is an exact sequence 
0 > E(K)/9(E(K)) *, K(S, 2) + WC(E/K)L4] 
Oo-1 
(0,0) 2a*—4b d—>{C,/K}, 

(X, Y) > X 
where C,/K is the homogeneous space for E/K given by the equation 

C,: dw? = d? — 2adz? + (a? — 4b)z*. 
The $-Selmer group is then 

S®(E/K) = {de K(S, 2): C,(K,) # @ for all veS}. 

Finally, the map 

W:Cy> E' W(z, w) = (d/z?, dw/z?) 
has the property that if Pe C,(K), then 

5(W(P)) = d (mod K*?*). 

Remark 4.9.1. Note that since the isogenous curve E’ in (4.9) has the same 
form as E, everything in (4.9) applies also to the dual isogeny ¢: E’ > E. 


Then, using the exact sequence in (4.7), we may be able to compute 
E(K)/2E(K). 


Remark 4.9.2. If E/K is an elliptic which has a K-rational 2-torsion point, 
then E also has an isogeny of degree 2 defined over K (II1.4.5). Thus the 
procedure described in (4.8) may be applied to any elliptic curve with 
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E(K)[2] # 0. In particular, (4.9) in some sense subsumes (1.4), where we had 
assumed that E[2] c E(K). 


Example 4.10. We now use (4.9) to compute E(Q)/2E(Q) for the elliptic curve 
E:y? = x3 — 6x? + 17x. 

This equation has discriminant A = — 147968 = —2°177, so our set S is 
{oo, 2,17}, and we may identify Q(S, 2) with {+1, +2, +17, +34}. The 
curve which is 2-isogenous to E has the equation 

E': Y? = X3 4+ 12X? — 32x; 
and for de Q(S, 2), the corresponding homogeneous space is 

Cy: dw? = d* + 12dz? — 322%. 


From (4.9), the point (0, 0)¢ E’(Q) maps to 6(0, 0) = —32 = —2 (mod Q*?), 
so —2€S(E/Q). We now check the other possible values for d. 


d=2 Cy: 2w? = 4 + 242? — 3224 


Dividing by 2 and letting z = Z/2 gives the equation 
C,:w? = 2+ 32? — Z+4, 
which by inspection has the rational point (Z, w) = (1, 2). Then using (4.9), 


the point (z, w) = 4, 2)€ C,(Q) maps to W(, 2) = (8, 32)¢ E(Q); and as pre- 
dicted by the theory, 6(8, 32) = 8 = 2 (mod Q*?). 


d=17 Cy 17w? = 17? + 12-172? — 3224. 


Suppose that C,7(Q,7) # @. Since ord,7(17w’) is odd and ord, ,(32z*) is 

even, we see that necessarily z, we Z,,. But then the equation for C,, implies 

first that z = 0 (mod 17), then that w = 0 (mod 17), and finally that 17? = 

0 (mod 17°). This contradiction shows that C,7(Q,7) = @, so 17¢ S®(E/Q). 
We now know that 


1, —2,2eS®(E/Q) and 17¢S®(E/Q). 
Since S®(E/Q) is a subgroup of Q(S, 2), it follows that S®(E/Q) = {+1, +2}. 
We have also shown that E’(Q) surjects onto S®(E/Q), and so from (4.2a), 
IN(E/Q)[¢] = 0. 
We now repeat the above computation with the roles of E and E’ reversed. 
Thus for de Q(S, 2), we look at the homogeneous space 


Ci: dw? = d? — 24dz? + 272274. 


As above, the point (0, 0) € E(Q) maps to 6(0, 0) = 272 = 17 (mod Q*?). Next, 
if d < 0, then clearly C,(R) = @, so d¢ S®(E’/Q). Finally, for d = 2, if we let 
z= Z/2, then C; has the equation 
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Ch: 2w? = 4 — 12Z? +1724. 


But if C,(Q,) # ©, then necessarily Z, we Z,; and then from the equation for 
C we deduce successively Z = 0 ned 2), w = 0 (mod 2), 4 = 0 (mod 23). 
Therefore C(Q,) = @, and so 2¢s¢ (E'/Q). Hence SY(E’/Q) = {1, 17} and 
II(E’/Q)[¢] = 0. 

To recapitulate, we now know that 


E(Q)/¢(E(Q)) = (Z/2Z) and E(Q)/g(E'(Q)) = Z/2Z, 


the former being generated by {(0, 0), (8, 32)} and the latter by {(0, 0)}. The 
exact sequence (4.7) then yields 


E(Q)/2E(Q) = (Z/2Z)* = E'(Q)/2E(Q); 
and so 
E(Q) = E(Q) = Z x Z/2Z. 


Remark 4.11. In all of the examples up to this point, we have been lucky in 
the sense that for every locally trivial homogeneous space that has appeared, 
we have been able to find (by inspection) a global rational point. Another 
way to say this is that we have yet to see a non-trivial element in the 
Shafarevich—Tate group. The first examples of such spaces are due to Lind 
[Lin] and (independently, but shortly later) Reichardt [Rei], who proved 
that the curve 


2w? = 1 — 172+ 


has no Q-rational point. (One easily checks that it has a point defined over 
every Q,.) We will prove a more general result below (6.5). Shortly thereafter, 
Selmer [Sel 1] made an extensive study of the curves ax? + by? + cz? = 0, 
which are homogeneous spaces for the elliptic curves x* + y? + dz? = 0. He 
gave many examples of locally trivial, globally non-trivial homogeneous 
spaces, of which the simplest is 


3x3 + 4y3 + 523 =0. 


It is a difficult problem, in general, to divide the Selmer group into the 
piece coming from rational points on the elliptic curve and the piece giving 
non-trivial elements in the Shafarevich—Tate group. At present, there is no 
algorithm known which is guaranteed to solve this problem. The procedure 
which we now describe will often work in practice, although it tends to lead 
to fairly elaborate computations in algebraic number fields. 

Recall that for each integer m > 2 there is an exact sequence (4.2a) 


E(K) & S\E/K) > WI(E/K)[m] > 0: 


and the finite group S(E/K) is effectively computable, at least in theory 
(4.5). If we knew some way of computing III(E/K)[m], then we would be able 
to find generators for E(K)/mE(K), and thence for E(K). Unfortunately, a 
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general procedure for computing II(E/K)[m] is still being sought. However, 
for each integer n > 1 we can fit together the above exact sequences to form a 
commutative diagram 


E(K) > S”)(E/K) > IN(E/K)[m"] > 0 
| id J { mult. by m"™! 


E(K) > S(E/K) > I(E/K)[m] = 0. 


Now at least in principle, the middle column of this diagram is effectively 
computable. This allows us to make the following refinement to the exact 
sequence in (4.2a). 


Proposition 4.12. Let E/K be an elliptic curve. For integers m > 2 and n > 1, 
let S°"(E/K) be the image of S“”"(E/K) in S™(E/K). Then there is an exact 
sequence. 


0 > E(K)/mE(K) > S™"(E/K) > m" 1 IN(E/K)[m"] — 0. 
Proor. Immediate from the commutative diagram given above. oO 


Now to find generators for E(K), one can apply the following procedure. 
Compute successively the relative Selmer groups 


S(E/K) = S™Y(E/K) > S%™2)E/K) > S™3(E/K) > + 
and the rational-point groups 
Tom, 1(E/K) © Tom,2(E/K) © Tom,3(E/K) < °°", 


where Tim,(E/K) is the subgroup of S“(E/K) generated by all points 
PeéE(K) with height h,(P) < r. Eventually, with sufficient perserverence, one 
hopes to arrive at an equality 


5!" E/K) = Tem o(E/K). 


Once this occurs, then one knows that m""‘III(E/K)[m"] = 0, and that the 
points with height h,(P) <r generate E(K)/mE(K). The problem is that, as 
far as is known, there is nothing to prevent II(E/K) from containing an 
element which is infinitely m-divisible; that is, a €€ II(E/K), € 4 0, such that 
for every n > 1 there is a €,€ HI(E/K) such that € = m"é,. If such an element 
were to exist, then the above procedure would never terminate! However, 
opposed to such a gloomy scenario is the following optimistic conjecture. 


Conjecture 4.13. Let E/K be an elliptic curve. Then IW(E/K) is finite. 


This conjecture is not known to be true for a single elliptic curve! Note that 
the successful carrying out of the procedure described above will only show 
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that the m-primary component of III is finite; this has of course been done in 
many cases. (For example, we showed that for the elliptic curve in (4.10), 
I(E/Q) has trivial 2-primary component.) 

We close by quoting the following beautiful result of Cassels, which says 
something quite interesting about the order of this group which is not yet 
known to be finite. 


Theorem 4.14 ([Ca 3], [Ta 2]). Let E/K be an elliptic curve. There exists an 
alternating, bilinear pairing 


I’: DI(E/K) x W(E/K) > Q/Z 


whose kernel is precisely the group of divisible elements of I. (I.e. If T(«, B) = 0 
for all Bell, then there exist arbitrarily large integers N and elements ay € II 
such that « = Nay.) 

In particular, if MI(E/K) is finite (or, more generally, if any p-primary 
component of Il(E/K) is finite), then its order is a perfect square. (See exer. 
10.20.) 
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Again we let K be an arbitrary (perfect) field, and let E/K be an elliptic curve. 
As we have seen (2.2), if we consider E merely as a curve and ignore the 
basepoint O, then the twists of E/K correspond to the elements of the 
(pointed) cohomology set H'(Gx,x, Isom(E)). Now Isom(E) has two obvious 
subgroups, namely Aut(E) and E, where we identify E with the set of trans- 
lations {tp} in Isom(E). Notice also that Aut(E) naturally acts on E. The next 
proposition describes Isom(E). 


Proposition 5.1. The map 
E x Aut(E) > Isom(E) 
(P, «) > tpoa 


is » bijection of sets. It identifies Isom(E) with the product of E and Aut(E) 
twisted by the natural action of Aut(E) on E. [I.e. Isom(E) is the set 
E x Aut(E) with the group law 


(P, «)-(Q, B) = (P + aQ, «0 B).] 
Proor. Let ge Isom(E). Then t_ 49) 0 g€ Aut(E), so writing 


= T $0  (T-4(0) 9) 


shows that the map is surjective. On the other hand, if tpo« = tg0 B, than 
evaluating at O gives P = Q, and then also a = 8. This proves injectivity. 
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Finally, the twisted nature of the group law follows from the calculation 


TpO%OT?OB = tOT,gOaHO B. oO 


We have already made an extensive study of those twists of E/K arising 
from translations, namely the group H*(Gg)x, E) ~ WC(E/K) studied in sec- 
tions 3 and 4. We now look at the twists of E/K coming from isomorphisms 
of E as an elliptic curve; that is, isomorphisms of the pair (E, O). In other 
words, we consider the twists of E/K corresponding to elements of 
H'(Ggx, Aut(E)). We start with a general proposition, and then (for 
char(K) # 2, 3) derive explicit equations. 


Remark 5.2. In the literature, the phrase “let C be a twist of E” often means 
that C corresponds to an element of H'(Gg,x, Aut(E)). More properly, such a 
C should be called a twist of the pair (E, O), since the group of isomorphisms 
of (E, O) with itself is precisely Aut(E). However, one can generally resolve 
any ambiguity from context without too much trouble. 


Proposition 5.3. Let E/K be an elliptic curve. 
(a) The natural inclusion Aut(E) < Isom(E) induces an inclusion 


H" (Gg x, Aut(E)) < H*(Ggx, Isom(E)). 
Identifying the latter set with Twist(E/K) by (2.2), we will denote the former by 
Twist((E, O)/K). 
(b) Let C/K € Twist((E, O)/K). Then C(K) # @, and so C/K can be given the 
structure of an elliptic curve over K. [N.B. C is not generally K-isomorphic to 
E. Contrast with (3.3).] 


(c) Conversely, if E'/K is an elliptic curve which is isomorphic to E over K, then 
E'/K represents an element of Twist((E, O)/K). 


Proor. (a) Let i: Aut(E) > Isom(£) be the natural inclusion. From (5.1), there 
is a homomorphism j: Isom(£) > Aut(E) such that joi = 1. It follows that 
the induced map 


H'(Ggjx, Aut(E)) > H*(Gzjx, Isom(E)) 


is One-to-one. _ 
(b) Let 6: C > E be an isomorphism defined over K such that the cocycle 


a>¢’o¢' 


represents the element of H'(Gg)x, Aut(E)) corresponding to C/K. Then 
¢°0¢ '(0) = O, so 


¢'\(O)=¢ (OY forall ce Gg. 


Hence ¢ !(0)e€ C(K), so (C, 7 1(O)) is an elliptic curve defined over K. a 
(c) Let ¢: E’ > E be an isomorphism of elliptic curves defined over K. In 
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particular, ¢(O’) = O, where Oc E(K) and O’e E'(K) are the respective zero 
points of E and E’. Then for any o€ Gxjx, 


¢°0¢ *(0) = ¢°(0') = g(O'Y = O° = O. 
Thus ¢’0¢ 1e€Aut(E), so the cocycle corresponding to E’/K lies in 
H' (Gg x, Aut(E)) as desired. oO 


If the characteristic of K is not 2 or 3, then the elements of Twist((E, O)/K) 
can be described quite explicitly. 


Proposition 5.4. Assume that char(K) # 2, 3, and let 
2 if j(E) #0, 1728 
n= 4 if j(E) = 1728 
6 if j(E)=0. 
Then Twist((E, O)/K) is canonically isomorphic to K*/K*". 
More precisely, choose a Weierstrass equation 
E:y*=x>?+Ax+B 
for E/K, and let De K*. Then the elliptic curve Eye Twist((E, O)/K) corre- 
sponding to D (mod K*") has the Weierstrass equation 


(i) Ep: y? =x>° + D?Ax + D°B_ if j(E) #0, 1728; 
(ii) Ep: y? = x? + DAx if j(E) = 1728 (so B = 0); 
(iii) Ep: y? =x? + DB if j(E) = 0(so A = 0). 
Corollary 5.4.1. Define an equivalence ~ on the set K x K* by 
(j,D)~(j',D') if j=j and D/D'e(K*), 
where n(j) = 2 (resp. 4, resp. 6) if j # 0, 1728 (resp. j = 1728, resp. j = 0). Then 


the K-isomorphism classes of elliptic curves E/K are in one-to-one corre- 
spondence with elements of the quotient 


K x K*/~. 


ProoF. From (III.10.2), we have an isomorphism 
Aut(E) = p, 
of Gx/x-modules. It follows from (B.2.Sc) that 
Twist((E, O)/K) = H*(Ggx, Aut(E)) © H* (Gx, b,) = K*/K*". 


The calculation of an equation for the twist Ep is straightforward. The case 
j(E) # 0, 1728 was already done in (2.4). We will do j(E) = 1728 here, and 
leave j(E) = 0 for the reader. 

Thus let D € K*, choose a fourth root 5€ K of D, and define a cocycle 


6: Gkjx > Wy fo = 07/6. 
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We also fix an isomorphism 


[ Jim, >Aut(E) — [0] (x, y) = (C?x, Cy). 


Then Ep corresponds to the cocycle o > [¢,] in H "(Gxx, Aut(E)). 
Now the action of Gx,x on the twisted field K(E), is given by 


d= f,6 x°=x y= fay. 
The subfield fixed by Gg, thus contains the functions 
X=6%x and Y=6"}y, 
and these functions satisfy the equation 
Y? = DX? + AX. 

This gives the desired equation for the twist Ep/K, and the substitution 
(X, Y) = (D™'X’, D™+Y’) puts it into the required form. 

The corollary follows by combining the proposition and (5.3c) with 


(III.1.4bc), which says that up to K-isomorphism, the elliptic curves E/K are 
in one-to-one correspondence with their j-invariants j(E)e K. oO 
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Many of the deepest theorems and conjectures in the arithmetic theory of 
elliptic curves have had as their testing grounds one of the families of curves 
given in (5.4i, ii, iii). To illustrate the theory that we have developed, let us see 
what we can say about the family of elliptic curves E/Q with j-invariant 
j(E) = 1728. 

One such curve is given by the equation 


ax +a 
and then from (5.3) and (5.4) we see that every such curve has an equation 
E:y* =x? + Dx, 


where D ranges over representatives for the cosets in Q*/Q**. Thus if we 
specify that D be a fourth-power-free integer, then it is uniquely determined 
by E. Notice that the equation for E has discriminant A(E) = —64D°%, so E 
has good reduction at all primes not dividing 2D. 

Let p be a prime not dividing 2D, and consider the reduced curve E over 
the finite field F,. From (V.4.1), E is supersingular if and only if the coefficient 
of x?-! in (x3 + Dx)”~1? is zero. In particular, if p = 3 (mod 4), then E/F, is 
supersingular; and so from (exer. 5.10) we conclude that 


#E(F,)=p+1 forall p= 3 (mod 4). 


(See exer. 10.17 for an elementary derivation of this result.) 
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Next we recall (VII.3.5) that if p # 2 and E has good reduction at p, then 
Evors(Q) injects into the reduction E(F,). It follows from above that # E,.,,(Q) 
divides p + 1 for all but finitely many primes p = 3 (mod 4); hence # E,,,,(Q) 
divides 4. Since (0, 0)¢ E(Q)[2], the only possibilities for E,,,,(Q) are Z/2Z, 
(Z/2Z)*, and Z/4Z. 

Now E[2] ¢ E(Q) if and only if the polynomial x? + Dx factors com- 
pletely over Q, so if and only if —D is a perfect square. Similarly, E(Q) will 
have a point of order 4 if and only if (0, 0)€2E(Q). The duplication formula 
for E reads 


x(2P) = (x? — D)?/(4x3 + 4Dx), 
so we see that 
(0, 0) = [2] (D*”, (4D°)*"). 


Hence assuming that D is a fourth-power-free integer, we conclude that 
(0, 0) €2E(Q) if and only if D = 4; in which case (0, 0) = [2](2, +4). 

Next, since E(Q) contains a 2-torsion point, we may use (4.9) to try to 
calculate E(Q)/2E(Q). E is isogenous to the curve 


E': Y? = X? —4Dx 
via the isogeny 
G@:E>E = (x, y) =(y?/x’, y(D — x”)/x?). 


The set S < Mg consists of oo and the primes dividing 2D; and for each 
de Q(S, 2), the corresponding homogeneous space C,/Qe WC(E/Q) is given 
by the equation 


C,: dw? = d* — 4Dz‘. 
Similarly, working with the dual isogeny ¢: E’ > E leads to the homoge- 
neous spaces C;/Q e WC(E’/Q) with equations 
C,:dW? = d? + DZ*. 
(Actually (4.9) leads to the equation dW? = d? + 16DZ*, but we are free to 
replace Z by Z/2.) 
Let v(2D) be the number of distinct primes dividing 2D. Since Q(S, 2) is 
generated by — 1 and the primes dividing 2D, we have the estimate 
dim, E(Q)/2E(Q) < 2 + 2v(2D) — dim, E'(Q)[¢] + dim, ¢(E(Q)[2]). 


Now clearly E'(Q)[¢] = Z/2Z. Next, to deal with the other two terms, we 
consider two cases. 


(1) E(Q)[2] = 2/22. 
Then ¢(E(Q)[2]) = 0 and dim, E(Q)/2E(Q) = rank E(Q) + 1. 
(2) E(Q)[2] & Z/2Z x Z/2Z. 
Then ¢(E(Q)[2]) = Z/2Z and dim, E(Q)/2E(Q) = rank E(Q) + 2. 
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Substituting these values into the above inequality yields in both cases the 
estimate 


rank E(Q) < 2v(2D). 


Notice that we have not yet checked any of the homogeneous spaces C, or 
C; for local triviality. But by inspection, if d < 0, then either C,(R) = @ or 
C,(R) = @. Thus our estimate may be cut by 1, giving the slight improve- 
ment 


rank E(Q) < 2v(2D) — 1. 


We summarize the preceding discussion in the following proposition. 


Proposition 6.1. For each fourth-power-free integer D, let Ep/Q be the elliptic 
curve 


Ep: y? =x? + Dx. 


Z/4Z if D=4 

(a) Ep tors(Q) = { Z/2Z x Z/2Z_ if —Disa perfect square 
Z/2Z otherwise. 

(b) rank E,(Q) < 2v(2D) — 1. 


Let us now restrict attention to the special case that D = p is an odd prime. 
Then the following proposition gives a complete description of the resulting 
Selmer groups and deduces corresponding upper bounds for the rank of E(Q) 
and the dimension of II(E/Q) [2]. 


Proposition 6.2. For each odd prime p, let E,/Q be the elliptic curve 
E,:y? =x? + px, 
and let ¢: E, > E’, be the isogeny of degree 2 with kernel E,[¢] = {0, (0, 0)}. 
(a) Ep tors(Q) = Z/2Z. 
(b) SP(EL/Q) = Z/22. 
Z/2Z if p =7, 11 (mod 16) 
S%E,/Q) =) (Z/2Z) if p = 3, 5, 13, 15 (mod 16) 
(Z/2Z)> if p = 1,9 (mod 16). 
0 if p=7, 11 (mod 16) 
(c) rank E,(Q) + dim, I(E/Q)[2]= 5 1 if p = 3,5, 13, 15 (mod 16) 
2 if p=1,9 (mod 16). 


Proor. To ease notation, we let E = E, and E’ = E,. 
(a) This was proven above (6.1a). 
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(b) As usual, we take representatives {+1, +2, +p, +2p} for the cosets in 
Q(S, 2). From (4.7), the images of the 2-torsion points in the Selmer groups 
are given by 


—peS(E/Q) and peS®(E'/Q). 
Further, if d < 0, then by inspection Ci(R) = @, so d¢ S®(E’/Q). 
Next we consider the homogeneous space 
C,:2W? =4+ pZ*. 
If (Z, W)eC;,(Q,), then necessarily Z, WeZ,; and then we conclude that 
Z = 0 (mod 2), so W = 0 (mod 2), so 0 = 4 (mod 8). Therefore C,(Q,) = ©, 
and hence 2¢ S®(E’/Q). We now know that 


peSP(E'/Q)  —1, +2, —p, —2p¢S%(E'/Q), 


from which it follows that S9(E’/Q) = {1, p} x Z/2Z. 

It remains to calculate S®(E/Q); and from the form the answer takes, it is 
clear that there will be many cases to consider. The best approach is to 
consider the various de Q(S, 2), and check for which primes the homoge- 
neous space C, is locally trivial. Note that from (4.9), d will be in S®(E/Q) if 
and only if C,(Q,) # @ and C,(Q,) # ©. (Le. It suffices to check whether C, 
is locally trivial at the primes p and 2.) We will make frequent use of Hensel’s 
lemma (exer. 10.12), which gives a criterion for when a solution of an equa- 
tion modulo q" lifts to a solution in Q,. 


C_,:w? + 1 = 4pz* 


(i) If (z, w)eC_,(Q,), then necessarily z, we Z,, and so w? = —1 (mod p). 
Conversely, by (exer. 10.12), any solution to w? = — 1 (mod p) will lift toa 
point in C_,(Q,). Therefore 


C_,(0,) 40 <= p=1(mod 4). 


(ii) From (i), we may assume that p = 1 (mod 4). If p = 1 (mod 8), we let 
(z, w) = (Z/4, W/8). Then our equation becomes W? + 64 = pZ*, and the 
solution (Z, W) = (1, 1) to the congruence 


W? + 64 = pZ* (mod 8) 


lifts to a point in C_,(Q,). Similarly, if p = 5 (mod 8), then we let (z, w) = 
(Z/2, W/2); and again we have a solution (Z, W) = (1, 1) to a congrunce 


W? + 4 = pZ* (mod 8) 


which lifts to a point in C_,(Q,). This proves that if p = 1 (mod 4), then 
C_,(Q) # ©. 
Combining the results of (i) and (ii) yields 


—1eES°(E/Q) < p=1(mod 4). 
d=-2 C_,:w? +2 = 2pz* 
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(i) If (z, w)eC_,(Q,), then z, weZ, and w* = —2 (mod p). Conversely, a 
solution to w” = —2 (mod p) lifts to a point of C_,(Q,). Therefore 


C_,(Q,)4 GO <= p=1,3 (mod 8). 


(ii) If (z, w)e C_,(Q,), then z, weZ, and w=0 (mod 2). Letting (z, w) = 
(Z,2W), we must check if there are any solution Z, WeZ, to the 
equation 

2W? +1 = pZ*. 
From (i), it suffices to consider those primes p = 1, 3 (mod 8). Now the 


congruence 2W? + 1 = pZ* (mod 16) has no solutions if p = 11 (mod 16), 
so 


p=i11(mod16) => C_,(Q,)=2. 


On the other hand, in order to use (exer. 10.12), we must find solutions 
modulo 2° = 32 if we want to lift them to points in C_,(Q,). The follow- 
ing table gives solutions (Z, W) to the congruence 


2W? + 1 = pZ* (mod 32) 


for each of the remaining values of p (mod 32). 


p (mod 32) 1 3 9 17 19 25 
(Z, W) (0, 1) (3, 11) (1, 2) (3, 0) (1, 3) (3, 2) 


Combining (i) and (ii), we have proven that 
—2eSP(E/Q) = p=1,3,9(mod 16). 


a= 2 C,: w? = 2 — 2pz* 


This is entirely similar to the case d= —2 just completed. A point 
(z, w)eC,(Q,) will have z, we Z, and w? = 2 (mod p), and any such solution 
will lift, so 


C,(Q,)4 OG <= p=1,7 (mod 8). 


Now if p = 1 (mod 8), then from above —1, —2eS(E/Q), so certainly 
2€S(E/Q). It remains to consider the case p = 7 (mod 8). 
A point (z, w)€ C,(Q,) will have (z, w) = (Z, 2W) with Z, We Z, and 


2W? =1— pZ*. 


There are no solutions modulo 16 if p = 7 (mod 16). On the other hand, if 
p = 15 (mod 16), then the solutions 


2:3? =1—p-1*(mod 32) if p = 15 (mod 32), 
2:12 =1—p-1* (mod 32) if p = 31 (mod 32), 
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lift to points in C,(Q,). Putting all of this together, we have shown that 
2eSP(E/Q) <= p=1,9, 15 (mod 16). 


We have now determined exactly which of —1, +2 are in S®(E/Q) in 
terms of the residue of p modulo 16. Since also —peS(E/Q), it is now a 
simple matter to reconstruct the table for S®(E/Q) given in (b). [In fact, one 
obtains even more information, namely a precise list of which elements of 
Q(S, 2) are in S®(E/Q).] 

(c) We use (4.7) and (4.2a) to compute 


dim, E(Q)[¢1/4(E(Q)[2]) + dim, E(Q)/2E(Q) 
= dim, E'(Q)/(E(Q)) + dim, E(Q)/d(E(Q)) 
= dim, S®(E/Q) — dim, I(E/Q)[¢] 
+ dim, S(E'/Q) — dim, I(E’/Q) [4]. 
From (a), we see that 
E(Q)(G1/9(E(Q)[2]) = Z/2Z and E(Q)/2E(Q) = (Z/2Z)*9* FO. 
Further, since E(Q)/¢E(Q) = SA(E'/Q) ~ Z/2Z from (b), the exact sequence 
(4.2a) implies that II(E’/Q)[¢] = 0. Hence the exact sequence 
0 > LN(E/Q)[¢] > WN(E/O)[2] 4 M(E/Q)[4] = 0 


gives 

dim, II(E/Q)[2] = dim, II(E/Q)[¢]; 
and combining this with the above results yields 
1+ (1 + rank E(Q)) = dim, S®(E/Q) + dim, S®(E’/Q) — dim, II(E/Q) [2]. 
Now (c) is immediate from the calculation of S(E/Q) and S®(E’/Q) given in 
(b). oO 
Corollary 6.2.1. There are infinitely many elliptic curves E/Q with 

rank E(Q)=0 and I (E/Q)[2] =0. 


Proor. From (6.2), the elliptic curves y? = x? + px with p = 7, 11 (mod 16) 
have this property. O 


Remark 6.3. One of the consequences of (6.2) is that if p is a prime with p = 
5 (mod 8), then the elliptic curve 
E,:y? =x? + px 


has rank at most 1. Further, examining the proof of (6.2), it will have rank 1 if 
and only if the homogeneous space 
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C_,:w? +1 = 4pz* 


has a Q-rational point; and if there is such a point, then we can find a point of 
infinite order in E(Q) by using the map (cf. 4.9) 


dow:C_,7E = pow(z, w) = (w?/4z?, w(w? + 2)/823). 


Taking the first few values for p, one does indeed find a point in C_,(Q), and 
these give the points of infinite order in E(Q) listed in the following table. 


p 5 13 29 37 
(x,y) (1/4, 9/8) (9/4, 51/8) (25/4, 165/8) (22801/900, 3540799/27000) 


Suppose that we knew, a priori, that the Shafarevich—Tate group II(E,/Q) 
were finite; or even that its 2-primary component were finite. Then the 
existence of the Cassels’ pairing (4.14) would imply in particular that 
dim, INI(E,/Q)[2] is even, and so that E,(Q) has rank 1 for all primes p = 
5 (mod 8). (This would also follow from a conjecture of Selmer ([Sel 2]) con- 
cerning the difference in the number of “first and second descents”. It is also a 
consequence of the conjectures of Birch and Swinnerton-Dyer (C.16.5). The 
fact that rank E,(Q) = 1 has been verified numerically for all such primes less 
than 1000 ([Br—C]). To give the reader an idea of the magnitude of the 
solutions which can occur, we mention that for p = 877, the Mordell—Weil 
group of the elliptic curve 


y? = x3 + 877x 
has as generators the points (0, 0) and (xo, yo), where x9 = r?/s? with 
r = 612, 776, 083, 187, 947, 368, 101 
and 
s = 7, 884, 153, 586, 063, 900, 210. 


Similarly, if p = 3, 15 (mod 16) and the 2-primary component of III(E,/Q) 
is finite, then (6.2) and (4.14) again imply that E,(Q) has rank 1. The fact that 
the rank is 1 in these cases may be verified numerically by searching for 
points in C_,(Q) and C,(Q) respectively. (See, for example, the tables in 
[B-Sw 1}.) 


Remark 6.4. If p = 7, 11 (mod 16), then (6.2c) says that E,(Q) has order 2; 
while if p = 3, 5, 13, 15 (mod 16), then (6.2c) combined with the reasonable 
conjecture that IN(E,,/Q) [2] is finite tells us that E,(Q) = Z/2Z x Z. In the 
remaining case, namely p = 1 (mod 8), there appear to be two possibilities. 
First, E,(Q) might have rank 2. This can certainly occur. For example, the 
curves 

y?=x?+73x and y* = x3 + 89x 
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both have rank 2, independent points being given by 
(9/16, 411/64), (36, 222) € E,,(Q) 
and 
(25/16, 765/64), (4/9, 170/27) € Ego(Q). 


Second, E,(Q) might have rank 0, which would mean that II(E,/Q)[2] = 
(Z/2Z)?. (Note that rank E,(Q) = 1 is precluded if we assume that II] is finite.) 
The following proposition gives a fairly general condition under which the 
second possibility holds. It also provides our first examples of homogeneous 
spaces which are everywhere locally trivial, but have no global rational 
points. 


Proposition 6.5. Let p = 1 (mod 8) be a prime for which 2 is not a quartic 
residue. 
(a) The curves 


w2+1=4pz+ w?+2=2pz2+  w?4 2pz+=2 
have points defined over every completion of Q, but have no Q-rational points. 
(b) The elliptic curve 
E,:y? =x? + px 
satisfies 


rank E,(Q)=0 and W(E,/Q)[2] = (Z/2Z). 


Remark 6.5.1. Any prime p = 1 (mod 8) can be written as p = A? + B? with 
A, Be Z satisfying AB = 0 (mod 4). A theorem of Gauss, which we will prove 
below (6.6), says that 2 is then a quartic residue modulo p if and only if 
AB = 0 (mod 8). Thus for example, 2 is a quartic non-residue for the primes 


IT=17 44? 41=574+47 97 =97 4.4? = 193 = 77 +127; 


and so these primes satisfy the conclusions of (6.5). 


Proor. During the course of proving (6.2b), we showed that the Selmer group 
SE, /Q) < Q*/Q*? is given by {+1, +2, +p, +2p}. Further, —p is the 
image of the 2-torsion point (0, 0)¢E,(Q). Thus in order to show that 
IN(E,/Q)[¢] has order 4, it suffices to prove that the homogeneous spaces 
C_,, C,, and C_, have no Q-rational points. These are the three curves listed 
in (a); and so once we prove that they have no Q-rational points, all of (6.5) 
will follow from (6.2). The following proof is based on ideas of Lind and 
Mordell ({Lin], [Ca 7]. See also [Rei], [Mo 3], and [B—Sw 1].) 


Case I. 
C42: tw? =2—2pzt 
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Suppose that (z, w)e C,,(Q). Writing z and w in lowest terms, we see that 
they necessarily have the form (z, w) = (r/t, 2s/t?), where r, s, te Z satisfy 


+2s? = t* — pr*+ and gcd(r,s, t) = 1. 


Let q be an odd prime dividing s. Then (p|q) = 1, so (q|p) = 1 by quadratic 
reciprocity. (Here (a|b) is the Legendre symbol.) Since also (2|p) = 1, we see 
that (s| p) = 1, so (s?|p)4 = 1. (Le. s* is a quartic residue modulo p.) Now the 
above equation implies that (+2|p), = 1. But —1 is always a quartic residue 
for p = 1 (mod 8), while by assumption 2 is a quartic non-residue modulo p. 
This contradiction proves that C,,(Q) = ©. 


Case II. 
C_,:—w? = 1 — 4pz* 


Writing (z, w)¢ C_,(Q) in (almost) lowest terms as (z, w) = (r/2t, s/2t?), we 
have 


s?+4t* = pr* — gcd(r, t) = 1. 


(We do not preclude the possibility that r is even.) Since p = 1 (mod 4), there 
are integers A = 1 (mod 2) and B = 0 (mod 2) such that 


p = A? + B?. 
It is then a simple matter to verify the identity 
(pr? + 2Bt?)? = p(Br? + 2t?)? + A?s?, 
from which we obtain the factorization 
(pr? + 2Bt? + As)(pr? + 2Bt? — As) = p(Br? + 2t?)?. 


Now it is not difficult to check that gcd(pr? + 2Bt? + As, pr? + 2Bt? — As) 
is either a square or twice a square. (Up to a multiple of 2, it equals 
gcd(A, s)?.) Hence the above factorization implies that there are integers u 
and v satisfying 


pr? +2Bt?+ As = pw? 2pu? 
pr?+2Bt?7=As = vw? or 2v 
Br? +207 = wo 2Quv. 


Eliminating s from these equations, we obtain the two systems 
2pr? + 4Bt? = pu? + v? 
Br? + 2t? = w; 
and 
pr? + 2Bt? = pu? + v* 
Br? + 2t? = 2uv. 
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Now the fact that p = 1 (mod 8) and 2 is a quartic non-residue modulo p 
means that B = 4 (mod 8). (This will be proven below (6.6).) Reducing our 
two systems of equations modulo 8, it is now a simple matter to verify that in 
both cases, any solution must satisfy r = t = 0 (mod 2). This contradicts our 
original assumption that gcd(r, t)= 1, and so completes the proof that 
C_,(Q) = ©. O 


We now prove the theorem of Gauss giving the quartic character of 2 
which was used above. The proof that we give is taken from [Mo 3]. 


Proposition 6.6. Let p be a prime, p = 1 (mod 8). Write p = A? + B? as a sum 
of two squares. Then 


(2|p)4 = (—1)47%. 
(Le. 2 is a quartic residue modulo p if and only if AB = 0 (mod 8).) 


Proor. Using the fact that A? + B? = 0 (mod p), we compute 
(A + B)®-Y? = (2AB)P- V4 (mod p) 
= 2P-D4(_ 1)(P- 8 4-2 (mod p). 
In terms of residue symbols, this becomes 
(A + Bip) =(—1)?- 99 (2|p)4(AIp). 


By symmetry, we may assume that A is odd; and then the fact that p= 
1 (mod 4) implies that 


(A|p) = (p|A) = (B? fA) = 1. 
Hence 
(A + Bip) = (— 1)?" YF(2|p),. 
Finally, we observe that 
(A + Bl p) = (p|A + B) = (2|A + B)(2p|A + B) 
= (2|4 + B) = (—1)44B?-98, 
since the identity 
2p = (A+ B)? +(A—B)? __ implies that (2p|A + B) = 1. 
Substituting this above yields 
(2|p)4 =(—D%, 
where 


e = ((A + B)? — 1)/8 — (p — 1)/8 = AB/4. Oo 
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EXERCISES 


10.1. 


10.2. 


10.3. 


10.4. 


Let ¢: E/K — E'/K be an isogeny of degree m of elliptic curves over an arbi- 
trary (perfect) field. Assume that E’[¢] < E'(K). Generalize (1.1) as follows. 
(a) Prove that there is a bilinear pairing 


b: E(K)/$(E(K)) x E'[6] > K(S, m) 
defined by 
e4(6,(P), T) = dg(B(P, T)). 
(Here e, is the generalized Weil pairing (exer. 3.15), and 64: E'(K)> 
H"' (Gx x, E[¢]) is the usual connecting homomorphism.) 
(b) Prove that this pairing is non-degenerate on the left. 
(c) For Te E'[@], let f;, 97 ¢K(E’) be functions satisfying 
div( fr) = m(T)—m(0) frog = gf. 
Prove that 
b(P, T) = fy(P) (mod K*”) provided P # O, T. 
(d) In particular, if deg(¢) = 2, so E'[¢] = {O, T}, then 
b(P, T) = x(P) — x(T) (mod K*?). 
(We thus recover part of (4.9).) 


Let K be an arbitrary (perfect) field, let E/K be an elliptic curve, and let C,/K 

and C,/K be homogeneous spaces for E/K. 

(a) Prove that there exists a homogeneous space C;/K for E/K and a 
morphism 


¢ : C, x C, > C; 
defined over K such that for all p, €C,, pp €C,, and P,, P,€E, 


O(P1 + Py, P2 + Po) = O(P1, Po) + Py + Po. 


(b) Prove that C; is unique up to equivalence of homogeneous spaces. 
(c) Prove that 


{Ci} + {Co} = {Co}, 
the sum taking place in WC(E/K). 


Let C/K be a curve of genus 1 defined over an arbitrary (perfect) field. 

(a) Prove that there exists an elliptic curve E/K such that C/K is a homo- 
geneous space for E/K. [Hint: Use exercise 3.22 to show that C/Ke 
Twist(E/K). Then find an element {€} € H'(Gg)x, Aut(E)) so that C/K is a 
homogeneous space for the twist of E by €.] 

(b) Prove that E is unique up to K-isomorphism. 


Let K be an arbitrary (perfect) field and E/K an elliptic curve. 
(a) Prove that there is a natural action of Aut,(E) on WC(E/K) defined as 
follows: 
Let {C/K, u} e WC(E/K) and we Aut,(E). Then 
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10.6. 


10.7. 


10.8. 


10.9. 
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{C/K, u}* = {C/K, wo(1 x a)}. 
[I.e. Take the same curve C, but define a new action of E on C by the rule 
u*(p, P) = u(p, aP).] 


(b) Conversely, if {C/K, »} and {C/K, ’} are elements of WC(E/K), prove that 
there exists an «€ Aut,(E) such that yw’ = po(1 x a). 

(c) Conclude that for a given curve C/K of genus 1, there are only finitely 
many non-equivalent ways of making C/K into a homogeneous space. In 
particular, if j(C) 4 0, 1728, then there are at most two. (See also exer. B.5.) 


Let ¢: E/K — E'/K be a separable isogeny of elliptic curves defined over an 

arbitrary (perfect) field K, and let C/K be a homogeneous space for E/K. Then 

the finite group E[¢] acts on C; let C’ = C/E[¢] be the quotient curve (exer. 

3.13). 

(a) Prove that C’ is a curve of genus 1 defined over K. 

(b) Prove that C’/K is a homogeneous space for E’/K; and that under the 
natural map ¢: WC(E/K) > WC(E’/K), we have ¢{C/K} = {C’/K}. 

(c) In particular, if {C/K} WC(E/K)[¢], then C’ is isomorphic to E’ over K. 
Prove that this isomorphism can be chosen so that the natural projection 
C > C/E[@] = E’ is the map ¢ 0 6 defined in (4.6a). 


WC Over Finite Fields. Let K be a field with q elements. 
(a) Let C/K be a curve of genus 1. Prove that 
|#C(K) —q—-1]< 2/4. 


[Hint: Let 6: C + C be the q'*-power Frobenius map, and consider the 
map 


C>E  p-p-— ¢(p), 


where C/K is a homogeneous space for E/K. Now mimic the proof of 
(V.1.1).] 
(b) Let E/K be an elliptic curve. Prove that WC(E/K) = 0. 


WC Over R. Let E/R be an elliptic curve. 

(a) Prove that WC(E/R) = Z/2Z. 

(b) Find an equation for a homogeneous space representing the non-trivial 
element of WC(E/R) in terms of a given Weierstrass equation for E. 


Let E/K be an elliptic curve, m > 2 an integer, and assume that E[m] c E(K). 
Let ve Mx be a prime not dividing m. Prove that the restriction map 


WC(E/K)[m] > WC(E/K,)[m] 
is surjective. [Hint: Show that the map on the H'(+, E[m])’s is surjective. ] 


Let E/K be an elliptic curve, let Te E[m], and suppose that the field L = K(T) 
has maximal degree, namely [L: K] = m? — 1. Consider the chain of maps 


6 S 
a: E(K) > H*(Gjx, E[m]) > H* (Gg, E[m]) > H(Giyz, tp) = L*/L*". 
oa > m(Sos T) 
(Here e,, is the Weil pairing.) 
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(a) Let f-e¢L(E) be as in (1.1d). (Le. div( f;) = m(T) — m(O) and f,o[m]e 
L(E)*™".) Prove that 


a(P) = fr(P) (mod L*”). 
(b) Prove that for all Pe E(K), 
Ny x(a(P))e K*". 


(c) Let Sc M, be a set of places of L containing all archimedean places, all 
places dividing m, and all places at which E/L has bad reduction. Show that 
if Pe E(K) and ve M, with v¢S, then 


ord,(a(P)) = 0 (mod m). 


(d) For m = 2, prove that the kernel of w is exactly 2E(K). Hence in this case 
there is an injective homomorphism from E(K)/2E(K) into the group 


{ae L*/L*? : N,x(a)€ K*? and ord,(a) = 0 (mod 2) for all v¢ S} 
given by the map 
P—x(P) —x(T). 
This map may often be used to compute E(K)/2E(K). 
[Hint: Write out x(P) — x(T) = (r + sx(T) + tx(T)?), and use the resulting 


relations on r, s, t¢ K to show that P is in 2E(K).] 
(e) Use (d) to compute E(Q)/2E(Q) for the curve 


E:y+y=x?-x. 


[Hint: Let K/Q be the totally real cubic extension generated by a root of 
4x3 — 4x + 1 = 0. Start by showing that K has class number 1, and that 
every totally positive unit in K is a square. ] 


10.10. Let C/K be a curve of genus 1, and suppose that C(K,) # @ for every ve Mx. 
Prove that the map 
Div,(C) > Picx(C) 
is surjective. [Hint: Take Galois cohomology of the exact sequence 
1 > K* + K(C)* > Div(C) > Pic(C) > 0. 
Use Noether’s generalization of Hilbert’s theorem 90, 
H (Gg; K(C)*) =0; 


and the (cohomological version) of the Brauer-Hasse-Noether theorem 
([Ta §9.6]), which says that an element of H?(Gg)x, K*) is trivial if and only if 
it is trivial in H?(Gx)x,, K*) for every ve Mx.] 


10.11. Index and Period in WC. Let K be an arbitrary (perfect) field, E/K an elliptic 
curve, and C/K a homogeneous space for E/K. Define the period of C/K to be 
the exact order of {C/K} in WC(E/K); and the index of C/K to be the degree 
of the smallest extension L/K for which C(L) # @. (Eg. (3.3) says precisely 
that the period equals 1 if and only if the index equals 1.) 

(a) Prove that the period may also be characterized as the smallest integer 
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m > 1 for which there exists a point peC such that p’ — pe E[m] for 
every € Gx)x. 

(b) Prove that the index may also be characterized as the smallest degree 
among the positive divisors in Div,(C). 

(c) Prove that the period divides the index. 

(d) Prove that the period and the index are divisible by the same set of primes. 

(e)* Give an example with K = Q showing that the period may be strictly 
smaller than the index. 

(f) Prove that if K is a number field, and if C/K represents an element of 
Ill(E/K), then the period and the index are equal. [Hint: Use (a), (b), (c), 
and exer. 10.10.] 


Hensel’s Lemma. The following version of Hensel’s lemma is often useful for 
proving that a homogeneous space is locally trivial. Let R be a ring which is 
complete with respect to a discrete valuation v. 

(a) Let f(T)eR[T] and age R satisfy 


v( f(ao)) > 2v( f'(ao))- 
Define a sequence a, € R by 
Qn +1 = On — f(Ay)/f (An)- 
Prove that {a,} converges to an element ae R satisfying 
f(a) =0 and va — ay) > v( f(ao)/f(ao)”) > 0. 


(b) Now let F(X,,...,Xy)ERLX,,..., Xv], and suppose that the point 
(a,,..., dy)€R® satisfies 


v(F (a1, ..., ay)) > 2v((6F/0X;)(a,, ..., Ay)) 


for some 1 <i < N. Then F has a root in R. 
(c) Show that the curve 


3X3 +4Y° +5273 =0 
in P? has a point defined over Q, for every prime p. 


Use (1.4) to compute E(Q)/2E(Q) for each of the following elliptic curves. 
(a) E:y? = x(x — 1)(x + 3). 
(b) E: y? = x(x — 12)(x — 36). 


Use (4.9) to compute E(Q)/2E(Q) for each of the following elliptic curves. 
(a) E:y? =x? + 6x? 4x. 
(b) E:y? =x + 14x? 4+ x. 
(c) E:y? =x? + 9x? — x. 


Let E/K be an elliptic curve, €¢ H'(Gg/x, Aut(E)), and E, the twist of E corre- 
sponding to €. Let ve Mx be a finite place for which E has good reduction. 
Prove that E; has good reduction at v if and only if ¢ is unramified at v. (See 
VIII §2 for the definition of unramified.) [Hint: If the residue characteristic is 
not 2 or 3, then one can easily use explicit Weierstrass equations. In general, 
use the criterion of Néron—Ogg—Shafarevich (VII.7.1).] 
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10.16. 


10.17. 


10.18. 


10.19. 


10.20. 


Let E/K be an elliptic curve, let De K* be such that L = K (/D) is a quadratic 
extension of K, and let Ep/K be the twist of E/K given by (5.4(i)). Prove 


rank E(L) = rank E(K) + rank E,(K). 


Let p = 3 (mod 4) be a prime, and let De FF. 
(a) Show directly that the equation 


C:v? = ut — 4D 
has p — 1 solutions (u, v)eF, x F,. [Hint: Since p = 3 (mod 4), the map 


u > u* is an automorphism of F*.] 
(b) Let E/F, be the elliptic curve 


E:y? =x? + Dx. 
Use the map 
¢:C>E — gu, v) = (G(u? 4 v), du(u? + v)) 
to prove that 
#E(F,) =p +1. 


Do a computation analogous to that of (6.2) to determine the Selmer groups 

and a bound for the ranks of the following families of elliptic curves E/Q. (Here 

p is an odd prime.) 

(a) E: y? = x3 + 2px. (The curve with p = 41 has rank 3.) 

(b) E:y? =x? + p?x. 

Let E/Q be an elliptic curve with j(E) = 0. 

(a) Prove that there is a unique sixth-power-free integer D such that E is given 
by the Weierstrass equation 


E:y*=x>4+D. 
(b) Let p = 2 (mod 3) be a prime not dividing 6D. Prove that 
#E(F,) =p +1. 


(c) Prove that # E,,,,(Q) divides 6. 

(d) More precisely, show that E,,,,(Q) is given by the following list. 
1 D is not a square or a cube 
Z/2Z Disacube, DF 1 

Z/3Z Disasquare, D #1 

Z/6Z D=1, —432. 


Evors(Q) = 


Let A be a finite abelian group, and suppose that there exists a bilinear, 
alternating, non-degenerate pairing 


T:AxA>Q/Z. 


Prove that # A is a perfect square. 


APPENDIX A 
Elliptic Curves in Characteristics 2 and 3 


In this appendix we prove some of the results for elliptic curves in character- 
istics 2 and 3 which were omitted in the main body of the text. To simplify the 
computations, we start by giving normal forms for the Weierstrass equations 
of such curves. 


Proposition 1.1. Let E/K be a curve given by a Weierstrass equation. Then 
under the boxed assumptions, there is a substitution 


x=u?x’+r y=ury +u?sx'+t  withue K* andr,s,teK 


such that E/K has a Weierstrass equation of the indicated form. 


(a) | char K # 2,3 


y=xetaxta, A= —16(4a3+27a2) j=1728 


(b) | charK =3 and j(E) 40 


y=x+t+a,x? +a, A= —aza, j= —a3/a, 


char K =3 and j(E)=0] 


y=x+axta, A=—azt j=0 


(c) | charK =2 and j(E) #0 


ytxy=x +a,x*? +a, A=a, j=1/ag 


4a3 
4a3 + 27a2 
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| char K = 2 and i(E) = 0 | 


y? + agy = x2 + agx + a, A=at j=0. 


ProoF. (a) See (III §1). 
(b) Take a general Weierstrass equation and complete the square on the left. 
This gives an equation of the form 
y? = x3 + ayx? + agx + dg 
with invariants 
A= agai —aza,—ap j= a3/A. 
(Remember that char K = 3.) If j = 0, then a, = 0, so the equation already 
has the right shape. On the other hand, if j 40, then a, #0; and so the 
substitution x = x’ + a,/a, will eliminate the linear term. 
(c) Again starting with a general Weierstrass equation 
y? + ayxy +3 = x2 + ayx* +44 ag, 
one easily computes (in characteristic 2) 
j=ay?/A. 
If j #0, so a, #0, then the substitution 
x= ajx'+a;/a; y= ayy’ + (aja, + a3)/ay 


gives an equation in the desired form. Similarly, if j = a, =0, then the 
substitution 


Ul 


x=x +a, yay 


will have the desired effect. 

(Note that there is no deep theory involved in finding these substitutions. 
One merely looks at the transformation formulas (III.1.2), sets various coeffi- 
cients equal to 0 or 1, and chooses appropriate u, r, s, t.) Oo 


It is now a simple matter to complete the proofs of (II1.1.4) and (III.10.1), 
parts of which we restate here. 


Proposition 1.2. (a) A curve given by a Weierstrass equation is non-singular if 
and only if the discriminant of the equation is non-zero. 

(b) Two elliptic curves E/K and E'/K are isomorphic over K if and only if they 
have the same j-invariant. 

(c) Let E/K be an elliptic curve. Then Aut(E) is a finite group of order 


2 if j(E) # 0, 1728 
4 if j(E) = 1728 and char K 4 2,3 
6 if j(E) = 0 and char K # 2, 3 
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12 if j(E) = 0 = 1728 and char K = 3 

24 if j(E) = 0 = 1728 and char K = 2. 
(See also exercise A.1.) 
Proor. (a) From the proof of (III.1.4a), all that remains is to show that if 
char(K) = 2 and A = 0, then the curve is singular. But this is immediate from 
the normal forms given in (1.1c). 
(b), (c) Again referring to the proofs of (II1.1.4b) and (III.10.1), we need only 


deal with the cases of char(K) = 2 or 3. We use the normal forms given in 
(1.1b,c) and consider 4 cases. 


Case I. char K = 3 and j(E) #0. E and E’ have Weierstrass equations of the 
form 

y? = x3 + a,x? + ag. 
The only substitutions preserving this sort of equation are 

x=urx y=ury. 


Since j(E) = j(E’), we have a3ay, = a'pag # 0, so taking u? = a,/a’, will give an 
isomorphism from E to E’. Further, if E = E’, then we must have u? = 1, so 
Aut(E) = {+1}. 


Case II. char K = 3 and j(E) = 0. E and E’ are given by equations of the 
form 
y? =x + ayx + dg. 
The substitutions preserving this form look like 
x=wx +r y=uby, 


Note we have a4, a #0. Then an isomorphism from E to E’ is given by 
choosing u and r to satisfy 


ut=a,/a, r+agr+ag—ua; =0. 


Further, if E = E’, then an automorphism of E has u* = 1 and r>? + agr + 
(1 — u?)ag = 0. Since a, 4 0, there are exactly 12 such pairs (u, r) making up 
Aut(E). 


Case III. char K = 2 and j(E) 4 0. In this case E and E’ are given by equa- 
tions of the form 
yr txy=x3 + a,x? + ag. 
The substitutions preserving this form look like 
x=x’ y=ytsx’. 


Since j(E) = j(E’), we have ag = a, # 0, so an isomorphism from E to E’ is 
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given by taking s to be a root of the equation 
s?-+s+a,+a,=0. 
Similarly, the automorphisms of E are obtained by taking se {0, 1}. 


Case IV. char K = 2 and j(E) = 0. E and E’ have equations of the form 
y? + a3y = x? + ayx + dg, 
and allowable substitutions look like 
x=ux'+s? y=uby'+u?sx' +t. 


By assumption, a3, a, # 0, so to map E to E’, we choose uy, s, t to satisfy the 
equations 


w=a3;/a, s*+a,;s+a,—uta,=0 
t? + ast + s® + ays? + ag — u®ay = 0. 
Finally, the automorphism group of E is given by the set of triples (u, s, t) 
satisfying the equations 
w=1 sttast+(l—wa,=0 t? +a;t+5°+a,s? =0. 


Since a, 4 0, we see that Aut(E) has order 24. oO 


The next proposition gives a normal form for Weierstrass equations which 
is similar to Legendre form, but is valid in characteristic 2. Having done this, 
we can then easily complete the proofs of (VII.5.4c) and (VIL5.5). 


Proposition 1.3 (Deuring Normal Form). Let E/K be an elliptic curve over a 
field with char K 4 3. Then E has a Weierstrass equation over K of the form 


E,:y>+axy+ty=x>  weK,a> ¥ 27. 
This equation has discriminant and j-invariant 

A=0—27 = j=a3(a3 — 24)3/(a3 — 27). 
Proor. The computation of A and j for E, is an exercise. In order to show 
that E has an equation of the form E,, one can find appropriate substitutions. 


However, using (1.2b), we have a quicker route available. Thus let ae K be a 
solution to the equation 


a3(a3 — 24) — (a3 — 27)j(E) = 0. 


Since char(K) # 3, we see that a? # 27, so E, will be an elliptic curve with the 
same j-invariant as E. If follows from (1.2b) that E and E, are isomorphic 
(over K). O 


Corollary 1.4. Let E/K be an elliptic curve defined over a local field. (I.e. K is 
given with a discrete valuation.) 
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(a) There exists a finite extension K'/K such that E has either good or split 
multiplicative reduction over K". 
(b) E has potential good reduction if and only if its j-invariant is integral. 


Proor. Let R be the ring of integers of K, .@ its maximal ideal, and k = R/.@ 
its residue field. From the proofs of (VII.5.4c) and (VILS.5), we are left to deal 
with char(k) = 2. In any case, we may assume that char(k) # 3. Replacing K 
by a finite extension, we choose an equation for E in Deuring normal form 


E:y+axyty=x> «3 £27. 
This equation has 
C4 = a(a3 — 24) and A=a3 — 27. 


(a) We consider three cases. 


Case I. we R, «3 # 27 (mod .@). Then A # 0 (mod .@), so the given equation 
has good reduction. 


Case I]. w€R, «3 = 27 (mod .@). Then A=0 ‘mod .@) and c, = 814 
0 (mod .@), so by (VII.5.1b), the given equation for E has multiplicative 
reduction. To obtain split multiplicative reduction then requires, at worst, 
taking a quadratic extension of K. 


Case III. a¢ R. Let x be a uniformizer for R, and choose an integer r > 1 so 
that x"«e R*. Then the substitution x = x~?’x’, y = 2 >"y’ gives an equation 


y? + Bx'y + ny =x, 
where B = 2’ae R*. This equation has 
cy = B(B° — 240°") = B* # 0 (mod -@) 
and 
A = 2°"(B — 272°") = 0 (mod .M), 
so again from (VIL.5.1b), it has multiplicative reduction. Further, the reduced 
curve is given by y(y + Bx) = x3(mod 4), so the reduction is split multi- 


plicative. 
(b) By assumption, j(E) and « are related by 


a3 (a3 — 24)3 — (a3 — 27)j(E) = 0. 


From this equation and the integrality of j(E), we see that « is integral. 
Further, since the characteristic of k is different from 3, we have a? # 
27 (mod .@). Thus the Deuring normal equation has integral coefficients and 
good reduction. oO 
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EXERCISES 


A.l. 


A.2. 


A.3. 


A4. 


Let E/K be an elliptic curve with j(E) = 0. Strengthen (1.2) by showing that the 

automorphism group of E may be described as follows: 

(a) If char(K) = 3, then Aut(E£) is the twisted product of C, (a cyclic group of 
order 4) and C,. C; is a normal subgroup, and C, acts on C, in the unique 
non-trivial way. 

(b) If char(K) = 2, then Aut(E) is the twisted product of C3 and a quaternion 
group. The quarternion group is a normal subgroup; and if we write the 
quaternion group as {+1, +i, +j, +k}, then a generator for C, acts by 
permuting i, j, and k. 


Let K be a field of characteristic 2, and let E/K be an elliptic curve with j(E) 4 0 
given by a Weierstrass equation 
y? + xy =x3 + ayx? + dg. 


Let €€ H'(Ggx, Aut(E)) = Hom(Gg)x, Z/2Z), and let L/K be the corresponding 
quadratic extension. Show that the twist of E by € (cf. (X §5)) is given by an 
equation 


y? + xy =x? + (a, + D)x? +. a6, 
where De K and L/K is the Artin—Schreier extension generated by a root of 
?—t—D=0. 


Let E/K be an elliptic curve with Weierstrass coordinate functions x and y. 
Show that the differential dx is holomorphic if and only if char(K) = 2 and 
J(E) = 0. 


Let E/K and E’'/K be elliptic curves over a not necessarily perfect field K. Suppose 
that j(E) = j(E’). Prove that E and E’ are isomorphic over a separable extension 
L of K of degree dividing 24. If j(E) # 0, 1728, then L can be chosen to have 
degree 2. 


APPENDIX B 
Group Cohomology (H® and H') 


In this appendix we give the basic facts about group cohomology which are 
used in chapter VIII §2 and chapter X. Since only H® and H' are needed in 
this book, we have restricted our attention to these two groups. The reader 
desiring more information about group cohomology might look at [A—W], 
[Gru], [Se 8], or [Se 9]. 


§1. Cohomology of Finite Groups 


Let G be a finite group, and let M be an abelian group on which G acts. We 
denote the action of s¢G onmeM by mm’. Then M is a (right) G-module 
if the action of G on M satisfies 


m} =m (m + m’')? =m°* + m’? (m’) =m". 


If M and N are G-modules, a G-homomorphism is a homomorphism ¢: M > N 
of abelian groups commuting with the action of G; that is 


o(m’) = d(m)’ __—s for all me M and ceG. 
For a given G-module, one is often interested in calculating the largest sub- 
module on which G acts trivially. 
Definition. The 0 cohomology group of the G-module M, denoted M® or 
H°(G, M), is defined by 

H°(G, M) = {me M: m? = m for all ceG}. 


It is the submodule of M consisting of all G-invariant elements. 
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Let 
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be an exact sequence of G-modules. (Le. ¢ and w are G-module homomor- 
phisms with ¢ injective, y surjective, and Image(¢) = Kernel(w).) Then one 
easily checks that taking G-invariants gives another exact sequence 


0— Pf > Mf = NG; 
but the map on the right need no longer be surjective. In order to measure 
this lack of surjectivity, we make the following definitions. 
Definition. Let M be a G-module. The group of 1-cochains (from G to M) is 
defined by 
C'(G, M) = {maps €:G > M}. 
The group of 1-cocycles (from G to M) is given by 
Z'(G, M) = {E€C'(G, M): €,, = & + & for all o, reG}. 
The group of 1-coboundaries (from G to M) is defined by 
B1(G, M) = {€€C'(G, M): there exists an me M such that 
€, =m’ — mfor all ceG}. 


One easily checks that B'(G, M) < Z'(G, M). Then the 1%‘ cohomology group 
of the G-module M is the quotient group 


H}(G, M) = Z\(G, M)/B\(G, M). 
In other words, H'(G, M) is the group of 1-cocycles €: G > M, modulo the 
equivalence relation that two cocycles are identified if their difference is of the 
form o — m? — m for some me M. 
Remark 1.1. Notice that if the action of G on M is trivial, then 
H°(G,M)=M and 4H'(G, M) = Hom(G, M). 
These both follow immediately from the definitions; for the latter, the 


1-cocycles are homomorphisms, and all of the 1-coboundaries are 0. 


Let ¢: MN be a G-module homomorphism. Then composition with ¢ 
clearly takes Z'(G, M) to Z'(G, N) and B'(G, M) to B‘(G, N). Thus ¢ induces 
a map on cohomology ¢: H'(G, M) > H'(G, N). 

Proposition 1.2. Let 
0-P A M x N-0O 


be an exact sequence of G-modules. Then there is a long exact sequence 
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0 > H°(G, P) + H°(G, M) > H°(G, N) > H“(G, P) > H\(G, M) > H“(G, N), 


where the connecting homomorphism 6 is defined as follows. 
Let ne H°(G, N) = N°. Choose an meM such that w(m) = n, and define a 
cochain — €C'(G, M) by 


—é, =m? —m. 
oC 


Then in fact €€ Z(G, P), and 5(n) is the cohomology class in H1(G, P) of the 
1-cocycle €. 


ProorF. A straightforward (but tedious) diagram chase, which we leave to the 
reader (exer. B.1). (Or see any of the references listed above.) oO 


Suppose now that H is a subgroup of G. Then any G-module M is auto- 
matically an H-module. Further, if € : G > M is a 1-cochain, then by restrict- 
ing the domain of & to H, we obtain an H-to-M cochain. It is clear that this 
process takes cocycles to cocycles and coboundaries to coboundaries, and so 
we obtain a restriction homomorphism 


Res : H1(G, M) > H1(H, M). 


Suppose further that H is a normal subgroup of G. Then the submodule M¥ 
of M consisting of the elements fixed by H has a natural structure of 
G/H-module. Now let €:G/H — M# be a 1-cochain from G/H to M¥. Then 
composing with the projection G— G/H and with the inclusion M¥ c M 
gives a G-to-M 1-cochain 


G>G/H4M¥eM. 


Again it is easy to see that if € is a cocycle or coboundary, then the new G-to- 
M cochain has the same property. Hence we obtain an inflation homo- 
morphism 


Inf: H1(G/H, M®) > H4(G, M). 


Proposition 1.3. Let M be a G-module and let H be a normal subgroup of G. 
Then the following sequence is exact. 


0 > H'(G/H, M®)-> H1(G, M)"S H(H, M). 


Proor. From the definitions, it is clear that Res o Inf = 0. 

Next let €: G/H + M®™ be a 1-cocycle with Inf{£} = 0. (We use braces {-} to 
indicate the cohomology class of a cocycle.) Thus there is an me M such that 
€ = m° — m for all c€G. But € depends only on o (mod H), so m?’ —m= 
m™ — m for all ce H. Thus m‘ — m = 0 for all te H, so me M4, and hence € 
is a G/H-to-M" coboundary. 

Finally, suppose that ¢: G > M is a 1-cocycle with Res{¢} = 0. Thus there 
is an meM such that ¢, =m‘ —m for all te H. Subtracting the G-to-M 
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coboundary o > m’ — m from €, we may assume that €, = 0 for all te H. 
Then the cocycle condition applied to ce G and te H yields 


Sta = Sr + Og = So 


Thus €, depends only on the class of 6 in G/H. Next, since H is normal, there 
is at’ € H such that ot = 1’o. Then using the cocycle condition again together 
with the fact that € is a map on G/H gives 


Gs = Gee = ca - ce + a =F Gas 
This proves that € gives a map from G/H to M", and so {£} ¢ H'(G/H, M®*). 


§2. Galois Cohomology 


Let K be a perfect field (as usual), let K be an algebraic closure of K, and let 
Gxx be the Galois group of K over K. Recall that Gx)x is equal to the inverse 
limit of G,,x as L varies over all finite Galois extensions of K. Thus Gg, is a 
profinite group (inverse limit of finite groups), and as such it comes equipped 
with a topology in which a basis of open sets around the identity consists of 
the collection of normal subgroups having finite index in Gg,x. (Ie. The 
subgroups which are kernels of maps Gx,x > G_,/x for finite Galois extensions 
L/K.) 


Definition. A (discrete) Gx,x-module is an abelian group M on which Gg, acts 
such that the action is continuous for the profinite topology on Gx,x and the 
discrete topology on M. (Equivalently, the action of Gg,x on M has the 
property that for all me M, the stabilizer of m, 


{oeG:m° =m}, 


is a subgroup of finite index in Gg)x.) Since all of our Gg,x-modules will be 
discrete, we will normally just refer to them as Gg,x-modules. 


Example 2.1.1. K and K* with the natural action of Gg,x are Gg/x-modules. 
This is because for any xe K, K(x)/K is a finite extension, so the stabilizer 
of x will have finite index. 


Example 2.1.2. More generally, let Z/K be any (abelian) algebraic group. 
Then 9 = YK) is a Gg/x-module, since again the coordinates of any point of 
QJ will generate a finite extension of K. 


The 0-cohomomogy of a Gg x-module is defined just as in the case of 
finite groups. 
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Definition. The 0'*-cohomology of the Ggjx-module M is the group of Gg)x- 
invariant elements of M, 


M&« = H°(Ggx, M) = {meM:m’ = m for all c€ Gg}. 


We could also define H‘ exactly as in the case of finite groups, but instead 
we use the fact that our group is profinite and our module discrete in order to 
put some restriction on the allowable cocycles. 


Definition. Let M be a Gg)x-module. A map ¢ : Gg)x > M is continuous if it is 
continuous for the profinite topology on Gg/x and the discrete topology on 
M. (Le. If for each me M, &~*(m) contains a subgroup of finite index of Gg)x.) 
We define the group of continuous 1-cocycles from Gx x to M, denoted 
Zéont(Ggjx, M), to be the group of continuous maps € : Gg)x > M satisfying 
the cocycle condition 


ae = eS a Go 


(This is a subgroup of the full group of 1-cocycles Z*(Ggx, M).) Notice that 
since M is discrete, any coboundary o > m? — m will automatically be con- 
tinuous. The 1*-cohomology of the Gg)x-module M is defined by 


H*(Ggjx, M) = Zeon(Ggjx, M)/B*(Gkjx, M). 
Remark 2.2. Just as in the case of finite groups, if Gg,x acts trivially on M, 
then we have 
H°(Ggjx,M)=M and H'(Ggx, M) = Homggy(Gxx, M). 
(Here Hom,,,, means the group of continuous homomorphisms.) 
The fundamental exact sequences (1.2) and (1.3) in the cohomology of finite 
groups carry over word-for-word to the profinite case. 
Proposition 2.3. Let 
0-P s M . N-0O 
be an exact sequence of Gx)x-modules. Then there is a long exact sequence 
0 — H°(Ggjx, P) > H°(Ggjx, M) > H°(Ggjx, N) 
5 H"(Gyyx, P) > (Gig, M) > H" (Gin, N), 
where the connecting homomorphism 6 is defined as in (1.2). 


Now let M be a Gg,x-module, and let L/K be a finite Galois extension. 
Then Gg), is a subgroup of Gg,x of finite index, and so M is naturally a Gx,,- 
module. This leads to a restriction map on cohomology, 


Res : H*(Gxjx, M) > H'(Gg,, M). 
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Further, Gg), is a normal subgroup of Gg/x, the quotient being the finite 
group Gx. The invariant submodule M“ has a natural structure of G,/x- 
module. Then any 1-cocycle ¢:G,),-> M ku becomes a (continuous) Gkjx 
1-cocycle via the composition 


g = 
Gx - Gi - M&kn cM. 
This gives an inflation map 


Inf: H}(Gyjx; M%) = H’ (Ggx, M). 


Proposition 2.4. With notation as above, there is an exact sequence 


0 > H(G,)x, M%*) > H (Gz, M) > H(Gg,,, M). 
Proor. Virtually identical to the proof of (1.3). O 


The next proposition gives fundamental facts about the cohomology of the 

additive and multiplicative groups of a field. 
Proposition 2.5. Let K be a field. 
(a) H*(Ggx, K*) = 0. 
(b) (Hilbert Theorem 90) 

H'(Gxx, K*) = 0. 
(c) Assume that char(K) does not divide m (or char(K) = 0). Then 

H* (Gx; Wm) = K*/K*". 

Proor. (a) [Se 9, Ch. X, Prop. 1]. 


(b) [Se 9, Ch. X, Prop. 2]. 
(c) Consider the exact sequence 


1p, > K* 3 K* 1 
of Gg)x-modules. Applying (2.3) yields the long exact sequence 
> K*™ K* HY (Gayg, Hp) > H (Gain, R*) >. 


From (b), H'(Gg)x, K*) = 0, which gives the deisred result. O 


§3. Non-Abelian Cohomology 


Again we start with a finite group G and a group M on which G acts, but now 
we no longer require that M be abelian. (To emphasize this fact, we will write 
M multiplicatively.) As above, the 0"-cohomology group of M is defined to be 
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the subgroup of G-invariant elements: 
H°(G, M) = M% = {me M:m? = mfor all ce G}. 
Further, we define the set of 1-cocycles of G into M to be the set of maps 
E:G>M satisfying €,, = (€,)°é, for all o, TEG. 


[N.B. The 1-cocycles do not in general form a group. The non-commutativity 
of M may prevent the product of two cocycles from being a cocycle.] We say 
that two 1-cocycles € and { are cohomologous if there is an me M such that 


mE, =C,m for all oEG. 


One easily checks that this gives an equivalence relation on the set of 
1-cocycles. The 1%-cohomology set of M, denoted H1(G, M), is the set of 
1-cocycles modulo this relation. We note that H1(G, M) has a distinguished 
element, namely the equivalence class of the identity cocycle. It is thus a 
pointed set; that is, a set with a distinguished element. 

Continuing as in section 2, we say that the Galois group Gg,x acts dis- 
cretely on a (possibly non-abelian) group M if the stabilizer of any element of 
M is a subgroup of finite index in Gg)x. We can again define a continuous 
1-cocycle from Gx)x to M to be a map ¢ : Gg,x > M which satisfies the cocycle 
condition and is continuous for the profinite topology on Gg), and the 
discrete topology on M. Two cocycles & and ¢ are again deemed cohomolog- 
ous if m’~,=(C,m for some meM, and the 0-cohomology group and 
1*-cohomology set of M are defined as above by 


H°(Ggx, M) = M&« = {meM:m’ = mfor all eG}, 
and 


: set of continuous 1-cocycles from Gxg,x to M 
H (Gax, M ) i 
equivalence of cohomologous 1-cocycles 


Example 3.1. If /K is any algebraic group, then there is a natural action of 
Gxjx On J = YK); and as explained above (2.1.2), this action will be discrete. 
Clearly 


H°(Ggx: 2) = HK) 


is the subgroup of K-rational points. The structure of the set H’(Gg)x, ) is 
harder to describe, but for the special case of the general linear group there is 
the following generalization of Hilbert’s Theorem 90. 


Proposition 3.2. For all integers n > 1, 
H} (Gin, GL,(K)) = {1}. 


Proor. [Se 9, Ch. X, Prop. 3]. 
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EXERCISES 


B.1. 
B.2. 


B.3. 


B.4. 


B.5. 


B.6. 


Prove that the sequence in (1.2) is exact. 


Let G be a finite group and M a G-module. 
(a) If G has order n, prove that every element of H1(G, M) is killed by n. 
(b) If M is finitely generated as a G-module, prove that H'(G, M) is finite. 


Let G be a finite group, M a G-module, and H a normal subgroup of G. 
(a) Show that there is a natural action of G/H on H'(H, M). 
(b) Prove that the image of the restriction map Res: H!(G, M) > H'(H, M) lies 
in the subgroup of H'(H, M) fixed by G/H. This allows (1.3) to be refined to 
Inf Res 
0 > H1(G/H, M#)— H1(G, M) > H1(H, M)@", 


Let M be a (discrete) Gg,x-module. If F/L/K is a tower of fields, then there are 
inflation maps 


H(Gijx; Mx) > H' (Grx, M&r), 
Prove that these form a direct system, and that there is an isomorphism 
H" (Ga, M) = Lim A (Gyjx, Mx), 


where the direct limit is taken over all finite Galois extensions L/K. (This pro- 
vides an alternative definition for the cohomology of Gg,x-modules.) 


Let G be a finite group, and let E and A be groups on which G acts. Assume that 
E is abelian, and that A acts on E in a manner compatible with the action of G. 
(Le. (ax)? = a’x? for all a€ A, xe E, and o€G.) The twisted product of E and A, 
denoted E x A, is the group whose underlying set is E x A, and whose group 
law is given by 


(x, ) *(y, B) = (x(ay), #8). 


Notice that G acts on E « A via (x, a)? = (x’, «”). 
(a) Prove that there are exact sequences 


1->E>-EKA-A--l1 
and 
1 > E® a(E x A)® > AS > 1. 


(b) Any «€ A®% gives a, G-isomorphism «: E > E, and so induces an automor- 
phism of H'(G, E). Show that two elements €,, €,¢H'(G, E) have the same 
image under the natural map H1(G, E) > H‘(G, E « A) if and only if there is 
an ae A® such that af, = &. 


Let G be a finite group, M a G-module, and H, and H, subgroups of G. Suppose 
further that H, and H, are conjugate. (Ie. H, = Ho’ for some o€G.) Prove 
that the restriction maps 


Res: H'(G, M) > H"(H,,M) and Res: H'(G, M)—> H'(H,, M) 


have the same kernel. 


APPENDIX C 


Further Topics: An Overview 


In this volume we have tried to give an essentially self-contained introduction 
to the basic theory of the arithmetic of elliptic curves. Unfortunately, due to 
limitations of time and space, many important topics have had to be omitted. 
This appendix contains a very brief introduction to some of the material 
which could not be included in the main body of the text. Further details may 
be found in the references listed at the end of each section. 

Since the ten topics covered in this appendix were originally supposed to 
form chapters XI through XX of this book, they have been numbered as 
sections 11 through 20. The contents of appendix C are as follows: 


§11. Complex Multiplication 338 
§12. Modular Functions 342 
§13. Modular Curves 351 
§14. Tate Curves 355 
§15. Néron Models and Tate’s Algorithm 357 
§16. L-Series 360 
§17. Duality Theory 364 
§18. Local Height Functions 364 
§19. The Image of Galois 366 
§20. Function Fields and Specialization Theorems 367 


§11. Complex Multiplication 


The Kronecker—Weber theorem says that the maximal abelian extension Q” 
of Q is generated by roots of unity; and so the class field theory of Q is given 
explicitly by an isomorphism 
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Ggarjg = I] ae. 
p 


The theory of complex multiplication provides a similar description for the 
abelian extensions of quadratic imaginary fields. 

Let #/Q be a quadratic imaginary field, 2 < ¥ the ring of integers of %, 
and @/¢(&) the ideal class group of &. If we fix an embedding % < C, then 
each ideal A of @ is a lattice A < C, and we can consider the elliptic curve 
C/A. From (V14.1), 


End(C/A) = {weC: aA CAS =2. 


Further, (VI.4.1.1) says that up to isomorphism, C/A only depends on the 
ideal class {A} €@¢(&). 

Conversely, suppose that E/C satisfies End(E) = &. Then (VI.5.1.1) implies 
that E(C) = C/A for a unique ideal class {A} €@¢(Z). We have proven the 
following. 


Proposition 11.1. With notation as above, there is a one-to-one correspondence 
between ideal classes in @¢(&) and isomorphism classes of elliptic curves E/C 
with End(E) = &. 


Corollary 11.1.1. (a) There are only finitely many isomorphism classes of ellip- 
tic curves E/C with End(E) = &. 

(b) Let E/C be an elliptic curve with End(E) = &. Then j(E) is algebraic over 
Q. 


ProoF. (a) Clear from (11.1), since ¢(&) is finite. 

(b) Let oe Aut(C/Q). Then End(E’) = End(E) = &. It follows from (a) that 
{E? : oe Aut(C/Q)} contains only finitely many isomophism classes of elliptic 
curves. Since j(E’) = j(E)’, we see that the set { j(E)’: ce Aut(C/Q)} is finite. 
It follows that j(E) is algebraic over Q. oO 


Actually, we can say quite a bit more about the j-invariant of an elliptic 
curve with complex multiplication. For any {A} ¢@¢(&), let us denote the j- 
invariant of C/A by j(A). 


Theorem 11.2 (Weber, Fueter). Let {A} e@¢(2). 

(a) j(A) is an algebraic integer. 

(b) [#(j(A)): #7] = [Q(j(A)): Q]. 

(c) The field # = X(j(A)) is the maximal unramified abelian extension of 
HK. (Le. # is the Hilbert class field of #.) 

(d) Let {A,}, ..., {A,} be a complete set of representatives for @¢(Z). Then 
(Ay), ---5j(Aq) form a complete set of Gy) conjugates for j(A). 


Proor. (a) The original proof of the integrality of j(A) uses the theory of 
modular functions. (See, for example, [Shi 1, §4.6] or [La 3, ch. 5, thm. 4].) An 
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algebraic proof (which generalizes to higher dimensions) can be given using 
the criterion of Néron—Ogg-Shafarevich ([Se—T, thm. 6]. See also (exer. 
7.10).) 

(b), (c), (d) [La 3, ch. 10, thm. 1], [Se 4], or [Shi 1, thm. 5.7]. oO 


Example 11.3.1. Suppose that E/Q is an elliptic curve with complex multipli- 
cation, and suppose that End(E) is the full ring of integers @ in the field 
HK = End(E) @ Q. (Note that % is necessarily quadratic imaginary (VI.5.5).) 
Since j(E) € Q, it follows from (11.2c) that 


H = H(j(E)) = H; 


and so & has class number 1. 

Conversely, if #/Q@ is a quadratic imaginary field with class number 1, 
then (11.2bc) implies that for any {A}e@¢(), we have j(A)eQ. (E.g. We 
could take A = &.) Hence C/A is (analytically) isomorphic to an elliptic curve 
E/Q with j(E) = j(A) and End(E) = &. 

Now Baker, Heegner, and Stark have shown that there are exactly 9 
quadratic imaginary fields whose ring of integers has class number 1, namely 
Q(,/—d) for de {1, 2, 3, 7, 11, 19, 43, 67, 163}. Hence there are only 9 possible 
j-invariants for elliptic curves E defined over Q for which End(£) is the full 
ring of integers in End(£) @ Q. 


Remark 11.3.2. If we relax the requirement that End(E) be the full ring of 
integers of #, and allow it to be an arbitrary order of #, then End(E) will 
have the form End(E) = Z + f& for some fe Z (exer. 3.20). One can show in 
this case that 


[4°(j(E)): #] = #6¢(Z + fA), 


where @¢(Z + f &) is the group of projective (Z + f Z)-modules of rank 1. In 
particular, if j(E)e¢Q, then @¢(Z + f#) = (1); and one can then check that 
there are only four possibilities with f > 2, namely 


Q(./ — 1), Q(/—3), Q./-7) with f = 2, 


Q(./ —3) with f = 3. 
Combining this with (11.3.1), we see that up to isomorphism over Q, there are 
exactly 13 elliptic curves E/Q having complex multiplication. Of course, each 
Q-isomorphism class contains infinitely many Q-isomorphism classes (X.5.4). 
(For example, the family of curves E/Q with End(E) = Z[./ —1] is studied in 
(X §6).) 


Returning now to the situation in (11.2), let {A} ¢@¢(@). Then from (11.2), 
the Galois group Gy) acts on #(j(A)). This action can be described quite 
precisely in terms of the Artin map. 


and 
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Theorem 11.4 (Hasse). Let {A} €@¢(&) and # = H(j(A)) be as in (11.2). For 
each prime ideal p of X, let Frob(p)€ Gy) be the Frobenius element corre- 
sponding to p. Suppose that there is an elliptic curve (defined over #) with j- 
invariant j(A) which has good reduction at all primes of # lying over p. Then 


j(AVFO) = j(A-p?). 
(Here A-p"! is the usual product of fractional ideals of X.) 


Proor. [La 3, ch. 10, thm. 1], [Se 4], or [Shi 1, thm. 5.7]. Oo 


Suppose now that E/K is an elliptic curve with complex multiplication 
over K. (Ie. End,(E) # Z.) Then the fact that Ggjx and End,(E£) commute 
with one another in their action on the Tate module T;(E£) will imply that the 
action of Gx, is abelian. (This is essentially Schur’s lemma. See exer. 3.24.) 
Thus the field K(E,,,,) obtained by adjoining to K the coordinates of all of the 
torsion points of E will be an abelian extension of K. 

Let us return now to the case that AE@¢(Z), # = H(j(A)), and E/# is an 
elliptic curve with j-invariant j(A). Then #(E,,,,) is an abelian extension of 
H#, but it will not in general be an abelian extension of #. However, it turns 
out that W(E,,,,) contains #4, and W(E,,,.)/4™ is an abelian extension 
whose Galois group is (generally) a product of groups of order 2. In order to 
produce .#” itself, we instead adjoin (essentially) just the x-coordinates of 
the torsion points. 

To make this precise, for any elliptic curve E/K, let us define a Weber 
function on E/K to be a morphism defined over K of the form 


E> E/Aut(E) = P?. 


(For the definition of the quotient curve E/Aut(E), see (exer. 3.13).) Classi- 
cally, if E is given by a Weierstrass equation 


E:y?=4x3—g.x-—g3; g2,g3€C 


with discriminant A = g3 — 2793, then one defines the Weber function quite 
explicitly by the formula 


(g293/A)x(P)_ if j(E) 0, 1728 
bg(P) = 5 (g3/A)x(P)? if j(E) = 1728 
(g3/A)x(P)> if (E) = 0. 


Notice that although g, and g, are allowed to be in C, the map ¢, : E > P? is 
independent of the choice of Weierstrass equation for E, and will thus be 
defined over any field of definition for E. 


Theorem 11.5. Let & be a quadratic imaginary field, 2 < KH its ring of 
integers, and let E/C be an elliptic curve with End(E) = &. 

(a) The maximal unramified abelian extension of H is #(j(E)). 

(b) The maxiial abelian extension XH” of KH is given by 
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By = KH (j(E); ¢,(T), TE Exes) 


[l.e. #” is the field obtained by adjoining to X the j-invariant of E and the 
value of a Weber function at all of the torsion points of E.] 


ProoF. (a) This is a restatement of (11.2c). 
(b) [La 3, ch. 10, thm. 2], [Se 4], or [Shi 1, cor. 5.6]. oO 


Remark 11.6. Let {A} be any ideal class of &, for example A = &. Then in 
(11.5), we could take E to be the elliptic curve with E(C) = C/A given by the 
Weierstrass equation 


E:y? = 4x° — g,(A)x — g3(A). 


(For the definition of g,(A) and g,(A) in terms of power series, see (VI §3).) 
Then the Weber function 


oi: C/A>C 

is given analytically by 

(ga(A)g3(A)/A(A)) a(z, A) if f(A) 4 0, 1728 

x(2) = 4(92(A)7/A(A)) ez, A)? if j(A) = 1728 

(g3(A)/A(A)) @(z, A)? if j(A) = 0. 
Now (11.5) says that #%® is generated by j(A) and ¢,(t) for teQA c C. Thus 
H® is given explicitly by the values of an analytic function evaluated at 
points of finite order on the complex torus C/A. Notice the similarity with 


the situation over @, where Q” is generated by the values of the analytic 
function ¢(z) = e?*” at the points of finite order on the cylinder C/Z. 


Remark 11.7. Just as in (11.4), one can use the Artin map to describe the 
action of Gya,y on the elements ¢,(T) which generate #%/%. See, for 
example, [Shi 1, thm. 5.4] or [La 3, ch. 10, lemma 1 and thm. 3]. 


References. [La 3], [Se 4], [Shi 1]. For generalizations to abelian varieties, 
see [Shi-T], [Se-T], [La 10]. 
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As we have seen (VL.5.1.1), every elliptic curve E/C is analytically isomorphic 
to a complex torus C/A, where A < C is a lattice which is determined up to 
homothety by E. Associated to the lattice A are the Eisenstein series G,,(A), 
discriminant A(A), and j-invariant j(A). One easily verifies the homogeneity 
properties (exer. 6.6) 


Gy(aA) = 0 Gy (A) AA) = a" A(A) —j(@A) = f(A). 
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These functions have as their domain the space of lattices. Using homoge- 
neity, it is enough to study them in the space of lattices modulo homothety. 
In order to do this, we set the following notation: 


H = {teC:Im(t) > 0} 
A,=Z+2t for téeH 
Gyi(t) = Ga,(A,) A(t) = A(A) (a) = f(A). 


Clearly every lattice A is homothetic to A, for some teH. In order to 
describe when two 1’s give the same lattice, we note that the modular group 


SL,(Z) = {(@ 5):4, b,c, deZ, ad — be = 1} 

acts on H by linear fractional transformation 
Y=CQ:H>H y(t) = (at + dict + a). 
This action is described by the following proposition. 
Proposition 12.1. (a) The group SL,(Z) acts properly discontinuously on H. 
(b) The region 
F = {teH:|Re(t)| <4 and |t| > 1} 
is a fundamental domain for H/SL,(Z). (I.e. The natural map ¥ > H/SL,(Z) is 
surjective, and its restriction to the interior of F is injective.) 
(c) Let 
S=(j “o) and T=(6 }). 

Then S* = 1, (ST)? = 1, and SL,(Z) is the free product of the cyclic groups of 
order 2 and 3 generated by S and ST. In particular, S and T generate SL,(Z). 


Proor. [Ap, thm. 2.1, 2.3], [Se 7, VII §1]. oO 


Corollary 12.1.1. Every lattice A < C is homothetic to a lattice A, for some 
tEF. 


Figure 12.1 illustrates the fundamental domain ¥ and its translates under 
various elements of SL,(Z). 


Remark 12.2. Any two bases {@,, @,} and {q;, 5} for a lattice A are related 
by a change of basis formula 


@, =a, + ba, @, = cM, + da, 


with a, b,c, deZ and ad — bc = +1. If we use homotheties to replace these 
bases by ones of the form {1,7} and {1, 7’} with 7, t’eH, then the above 
change of basis action on the w’s becomes exactly the linear fractional action 
of SL,(Z) on the t’s described above. 
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Figure 12.1 


The function G,,(A) depends only on the lattice A, and not on any parti- 
cular choice of basis. However, if A, = A, for some t, t’ EH, then G,,(t) and 
G,,(t’) may not be equal. Tracing through the definitions, one checks that 


Gox(yt) = (ct + d)*Gp,(t)  fory = (¢ Ee SL,(Z). 
Notice that if c = 0, then G,,(yt) = G,,(t). In other words, 
G,,(T"t) = Gy, (t + n) = G»,(t) for all neZ. 


This means that G,, has a Fourier expansion 


Gy()= Y e(na’, 


where we write gq = e?7". 

Definition. A meromorphic function on H is called a modular function of 
weight k (for SL,(Z)) if it satisfies: 

(i) f(t) =(ct+d)"“f(yt) — forally = JeSL,(Z); 


(ii) The Fourier expansion of f in the variable q = e?*" has the form 


ft) = ¥ etna" 


for some (finite) integer ng = no(f). 


We say that f is a modular form of weight k if f is holomorphic on H and 
No(f) = 0, in which case we also say that f is holomorphic at oo and set 
f(x) = c(0). (Notice that gq — 0 as t > ioo.) If further f(oo) = 0, then we call f 
a cusp form. 
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Remark 12.3. Note that if « =(~} _9), then at = 1 for every te H. Hence if f 
is a modular function of weight k with k an odd integer, then f(t) = 
(—1)"*f(at) = —f(z), and so f is identically 0. Thus a non-trivial modular 
function for SL,(Z) is necessarily of even weight. The next proposition pro- 
vides some examples of modular functions. 


Proposition 12.4. (a) The j-function j(t) is a modular function of weight 0 which 
is holomorphic on H. It Fourier series has the form 


j(t) =— + 744 4 > c(n)q" with c(n)eZ. 


(b) The Eisenstein series G,,(t) is a modular form of weight 2k. Its Fourier 
series is given by 


(2ni)? 


Galt) = 200K) + 255 ay —¥ aay s(n" 


(Here €(s) = Xn“ is the Riemann zeta function; and a,(n) is the divisor func- 
tion, o,(n) = Xq),4*.) 

(c) The discriminant function A(t) is a cusp form of weight 12. Its Fourier 
series has the form 


A(t) = (22)'? 3° t(n)q” with t(1) = 1 and t(n)eZ. 
n=1 
(The integer-valued function n > t(n) is called the Ramanujan t-function.) 
Proor. [Ap, thm. 1.18, 1.19, 1.20], [Se 7, VII prop. 4, 5, 8]. oO 


Remark 12.4.1. The Fourier coefficients of j(t) and A(t) have many interesting 
congruence properties. For example, 


t(n) = o,,(n) (mod 691) 


for all n = 1, 2,..., a result due to Ramanujan. We will not pursue this topic, 
but see, for example, [Ap, ch. 4] or [Se 7, VI, §3.3, §4.5]. 


Remark 12.4.2. The Fourier series for the Eisenstein series G,,(t) is often 
rewritten using the identity 


Xe g,(n)q” = p n“q"/(1 — q”). 
It commonly appears in the literature in both forms. 


The discriminant function A(t) also has the following beautiful product 
expansion. 


Theorem 12.5. (a) (Jacobi) 
A(t) = (2n)'7q Il (1 —q")**. 
n=1 
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(b) Define the Dedekind n-function by 
n(t) = q"4 [] 1 — q”. 
n=1 
(Here q'!** is defined to be e™*!!?, Notice that A(t) = (2n)'?n(t)**+.) Then 
n(t + 1)=e™2n(c) and n(—1/t) = (—it)'?n(0). 
(We take the branch of the square-root function which is positive on the positive 


real axis.) 


Proor. [Ap, thm. 3.1, 3.3], [Se 7, VII, thm. 6]. oO 


Remark 12.5.1. Since the maps t > t + 1 and t > —1/r generate the action of 
SL,(Z) on H (12.1.c), one can check that 


n(yt) = e{—i(ct + d)}*?n(t) for ally = (2 Se SL,(Z), 
where ¢ = é(a, b,c, d) satisfies e2+ = 1. There is a formula for e(a, b,c, d) 


which involves Dedekind sums. See [Ap, ch. 3, especially thm. 3.4] for details. 


Elliptic functions, such at the Weierstrass g-function, can be treated as 
functions of two variables, the second variable being the lattice. We define 


e(z;1)=(2;A) @(2;t1)=9'(2;A) — o(z; 1) = o(z; A). 


These functions have the following g-expansions. 


Proposition 12.6. Let q = e?** and u = e?*?, Then 


Qniy poles) = Yo au/(l — gta? + 1/1225) atl — a 


(ani) o'e:) = YF gh(d + q'u)((1 — qu); 


n=—o 


(2ni)o(z; 1) =e? (u? — uw!) T] (1 — qd — gta (1 — 
n=1 


(In this last formula, n = n(1) is one of the quasi-periods associated to the 
lattice Z + Zt. See (exer. 6.4b).) 


ProorF. [La 3, ch. 18, §2], [Rob, II §5]. oO 


Remark 12.7. An elliptic curve E/C is analytically isomorphic to a torus C/A, 
and we can choose the lattice A to be of the form A = A, = Z + Zt. Consider 
the exponential map exp(27i-): C > C*. The image of A, under this map is 
the cyclic subgroup q? = {q":neZ} of C*. Thus composing with the ex- 
ponential map, we obtain an analytic isomorphism 
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C*/q? > E(C). 
If we let u be the parameter on C* (ie. u = e*””), then this map is given by 


Le, 9’, 1], where g and @’ are given in terms of u by (12.6). 


We now describe the field of modular functions and the algebra of modular 
forms. 
Definition. Let 
M, = {modular forms of weight 2k}, 
M,.o = {cusp forms of weight 2k}. 


Notice that M, and M, 9 are C-vector spaces. Further, if fe M, and ge M,., 
then fge M,.,-. Thus the ring 


M = ¥ M, k 
k=0 
has a natural structure as a graded C-algebra. 


Theorem 12.8. (a) j(t) is a modular function of weight 0. Every modular func- 
tion of weight 0 is a rational function of j(t). 
(b) The map 

C[X, Y]-M P(X, Y) > P(G4, Ge) 


is an isomorphism of graded C-algebras, where we assign weights wt(X) = 4 
and wt(Y) = 6. In particular, every modular form is a polynomial in G4 and Gg. 


0 ifk <0 
() dime M, = 3 [k/6] if k = 1 (mod 6),k >0 
[k/6] +1 ifk #1(mod 6),k>0. 


(d) Multiplication by A(t) defines an isomorphism of M,- onto M,, o. 
Proor. [Ap, thm. 2.8, §6.4, §6.5], [Se 7, VII, §3.2, §3.3]. O 


The study of the spaces M, and M,, is facilitated by the existence of 
certain linear operators. For each integer n > 1, we define the Hecke operator 
T(n) on the space M, of modular forms of weight 2k by the formula 


(T(n)f)(0) = n° Si a™ y f((nt + bd)/d?). 
d|n b=0 


(For a more intrinsic definition, see [Ap, §6.8], [Se 7, VII §5.1], or [Shi 1, Ch. 
3].) 


Proposition 12.9. (a) If f is a modular form (respectively cusp form) of weight 
2k, then T(n)f is also. In other words, T(n) induces linear maps 
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T(n):M,—> M, and T(n): Myo My 0- 
(b) For all integers m and n, 
T(m) T(n) = T(n)T(m). 
(c) If mand n are relatively prime, then 
T(mn) = T(m)T(n). 

(d) For all primes p and integers r > |, 

T(p"**) = T(p")T(p) — p” * T(p™"). 
Proor. [Ap, thm. 6.11, 6.13], [Se 7, VII §5.1, §5.3]. a 
Application 12.10. Of particular interest are those modular forms which are 
simultaneous eigenfunctions for every Hecke operator T(n). In other words, 

Tn)f=AnMf  foralln =1,2,..., 


where A(1), A(2), ... are certain constants. If this occurs, then it is not hard to 
show that the Fourier expansion of f, f = Xc(n)q", satisfies 


c(n) = c(1)A(n) for alln = 1, 2,.... 


(See [Ap, thm. 6.14, 6.15], [Se 7, VII §5.4].) In particular, if f is not constant, 
then c(1) #0, and f is uniquely determined by c(1) and the eigenvalues 


{A(n)}. 


Example 12.10.1. Consider the space M, 9 of cusp forms of weight 12. From 
(12.8c) and (12.4c), it has dimension 1, and is generated by the discriminant 
function 


A = (2m)! [] (1 — @)** = Qn)? Y ria" 
n=1 n=1 
Since T(n)A is also in Mg o, it follows that T(n)A is a multiple of A. From 
(12.10) we conclude that 
Ti)A=t(n)A  foralln=1,2,.... 


(Note that t(1) = 1.) Now the identities (12.9cd) satisfied by the Hecke 
operators T(n) lead to analogous formulas for the Ramanujan function: 


t(mn) = t(m)t(n) if gcd(m, n) = 1; 
2(p"*!) = 2(p"\t(p) — p"*e(p")_ for p prime, r > 1. 


These beautiful identities, conjectured by Ramanujan, were first proven by 
Mordell. There is also the estimate, demonstrated by Deligne as a conse- 
quence of his proof of the Weil conjectures, which states that 


|t(p)| < 2,/p for p prime. 
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Since j(t) is a modular function of weight 0 (12.4a), it defines a function on 
the quotient space H/SL,(Z). Now H/SL,(Z) has a natural structure as a 
Riemann surface, and one can show that j(t) defines a holomorphic function 
on that surface. (See [Shi 1, §1.3, §1.4, §1.5].) 


Proposition 12.11. The map 
j: H/SL,(Z) >C 


is a complex analytic isomorphism of (open) Riemann surfaces. 
Proor. [Se 7, VII prop. 5]. O 


Corollary 12.11.1 (Uniformization Theorem). Let E/C be an elliptic curve 
Then there exists a lattice AcC and a complex analytic isomorphism 
C/A > E(C). 


ProorF. Let J be the j-invariant of E. From (12.11), there is a t¢H such that 
j(t) = J. Then the elliptic curve 


E,: y? = 4x? — g,(t)x — g3(t) 
has j-invariant J, so E, = E from (III.1.4b). On the other hand, (VI.3.6b) 


describes a complex analytic isomorphism C/(Z + Zt) > E,(C), which gives 
the desired result. oO 


From (12.11), we see that the Riemann surface H/SL,(Z) is not compact. 
Its natural compactification is P!(C), obtained by adding a single extra point 
at infinity. However, with a view toward eventual generalizations, we will 
take the following approach. Define 


H* =HUP1(Q). 


Here one should think of the points [x, 1]¢P+(Q) as forming the usual copy 
of Q@ in C; and the point [1,0]¢P1(Q) as a point at infinity. Notice that 
SL,(Z) acts on P*(Q) in the usual manner, 


y: Lx, y] > [ax + by, cx + dy]. 


The quotient space H*/SL,(Z) can be given the structure of a Riemann 
surface, and one can show that the j-function then defines a complex analytic 
isomorphism 


j:H*/SL,(Z) > P*(C). 
(See [Shi 1, §1.3, §1.4, §1.5] for details.) Notice that since SL,(Z) acts transi- 


tively on P'(Q), the net effect has been to add a single point, called a cusp, to 
H/SL,(Z). 
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Congruence Subgroups 


In studying modular functions for SL,(Z), one soon discovers the need to 
deal with functions which are modular only for certain subgroups of SL,(Z). 


Definition. For each integer N > 1, we define subgroups of SL,(Z) as follows: 
To(N) = {@ Je SL,(Z): ¢ = 0 (mod N)}; 
T,(N) = {(@ 2)eSL,(Z):c = 0 (mod N), a = d = 1 (mod N)}; 
T(N) = {(¢ Ee SL(Z):b =c = 0 (mod N), a = d = 1 (mod N)}. 


More generally, a congruence subgroup of SL,(Z) is defined to be a subgroup 
T of SL,(Z) which contains I'(N) for some integer N > 1. 


If T is a congruence subgroup of SL,(Z), then I acts on H*, and we can 
form the quotient space H*/I’. H*/T has a natural structure as a Riemann 
surface ({Shi 1, §1.3, §1.5]). The action of T on P1(Q) c H* gives finitely 
many orbits; the images of these orbits in H*/T are called the cusps of T. 


Example 12.12. If p is prime, then H*/I,(p) contains two cusps, represented 
by the points [1, 0] and [0, 1] in P1(Q). 


Definition. Let [ be a congruence subgroup of SL,(Z). A meromorphic func- 
tion f on H is called a modular function of weight k for T if 


(i) f(t) = (ct + d)*f (yt) for all y = (¢ ®)eT; and 
(ii) f is meromorphic at each of the cusps of H*/T. (See [Shi 1, §2.1] for the 
precise definition.) 


A modular function is called a modular form if it is holomorphic on H and at 
each of the cusps of H*/T; and it is a cusp form if it is a modular form which 
vanishes at every cusp. 


Example 12.13. The function 


F() = n(0)?n (112)? 


is a cusp form of weight 2 for the group I,(11). (Here 7(z) is the Dedekind n- 
function (12.5b).) 


If f(t) is a modular form of weight 2 for T, then one easily checks that the 
differential form f(t) dt on H is invariant under the action of I. (This follows 
from the identity d((at + b)/(ct + d)) = (ct + d)”? dz.) If, further, f is a cusp 
form, then one can show that f(t) dt is holomorphic at each of the cusps of I, 
and so defines a holomorphic 1-form on the quotient space H*/T. 


Proposition 12.14. Let I be a congruence subgroup of SL,(Z). There is a 
natural isomorphism between the space of weight 2 cusp forms for T and the 
space of holomorphic 1-forms on the Riemann surface H*/T. 
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Proor. [Shi 1, §2.4]. O 


Remark 12.15. It is not difficult to calculate the genus of H*/T; and thereby, 
using (12.14), to find the dimension of the space of weight 2 cusp forms for I. 
For example, if p is prime, then H*/Ty(p) has genus equal to the numerator of 
the fraction (p + 1)/12 expressed in lowest terms. For general formulas, see 
[Shi 1, prop. 1.40, 1.43]. 


The Hecke operators defined above also act on the space of modular forms 
relative to congruence subgroups. 


Proposition 12.16. Let I be a congruence subgroup of SL,(Z), say Y > T(N); 
and let f(t) be a modular form of weight 2k for. Then for each integer n > 1 
relatively prime to N, the function T(n)f defined by the formula given above is 
again a modular form of weight 2k for T. Further, if f is a cusp form, then so is 


T(n)f. 
Proor. [Shi 1, prop. 3.37]. O 


Remark 12.17. Just as in the case of the full modular group SL,(Z), one 
studies those modular forms relative to T which are simultaneous eigenfunc- 
tions for all of the Hecke operators. For example, the Riemann surface 
H*/Tp(11) has genus 1 (12.15), so the space of cusp forms of weight 2 for 
T,(11) is of dimension 1 (12.14). It follows that the function 


Sf (0) = n(t)?n(1 12)? 


given in (12.13) is an eigenfunction of T(n) for every integer n satisfying 
gcd(n, 11) = 1. 


References. [Ah1, ch. 7], [Ap, ch. 2,3,6], [B—Sw 2], [Ko], [La 3], [Og 4], 
[Rob, ch. I, §3,4], [Se 7, ch. VIL], [Shi 1, ch. 1,2,3]. 
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Let I’ be a congruence subgroup of SL,(Z). If ©! = SL,(Z), then we have seen 
(§12) that the points of the Riemann surface H/T are in one-to-one corre- 
spondence with the isomorphism classes of elliptic curves defined over C. 
This correspondence associates to the point t (mod TI) of H/T the elliptic 
curve E, = C/(Z + Zr). We will now describe a similar interpretation for the 
points of H/T in the case that I is a more general congruence subgroup. 
For example, consider the subgroup I’, (N), which we recall consists of all 
matrices y = (* 4) such that c= 0 (mod N) and a=d=1 (mod N). Since 
T,(N) < SL,(Z), we can again associate to each t¢ H/T, (N) the elliptic curve 
E,. This is nothing more than the natural map H/T’,(N) > H/SL,(Z). But 
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a point of H/T,(N) contains additional information. Consider the point 
T,c€ E, corresponding to 1/NeEC/(Z + Zr). (Thus T,e E,[N].) Then for any 
yeSL,(Z), the isomorphism 


f: CZ + Zt) > CZ + Zy(1)) 
z—z/(ct + d) 


maps 1/N to 1/N(ct + d). (Note that y(t) = (at + b)/(ct + d).) If we further 
assume that yeT,(N), then 


1 1 _ (c/N)t + (d—1)/N 
N N(ct+d) ct+d 


Thus the point 1/N ¢C/(Z + Zt) remains fixed when the basis for the lattice is 
changed by an element of I,(N). Hence a point of H/T, (N) gives an elliptic 
curve E,/C together with a specified point T,¢ E, of exact order N. Further, 
given any elliptic curve E/C and any point Te E of exact order N, there is a 
point te H/T,(N) and an isomorphism E, > E such that T, > T. Using fan- 
cier terminology, we say that the Riemann surface H/T, (N) is a moduli space 
for the moduli problem of determining equivalence classes of pairs (E, T), 
where E is an elliptic curve defined over C, and T¢€ E is a point of exact order 
N. (Two pairs (E, T) and (E’, T’) are deemed equivalent if there is an isomor- 
phism E = E’ which takes T to T’) 

Similarly, if yeI(N) and teH/I,(N), then one easily checks that the 


subgroup 
1 2 N-1 = Cc 
N’N’'? N Z+2Zt 


remains invariant under the action of y. As above, H/Tg(N) is a moduli space 
for the problem of determining (equivalence classes of) pairs (E, C), where E 
is an elliptic curve and C c E isa cyclic subgroup of exact order N. Note that 
from (III.4.11), there is a one-to-one correspondence between subgroups 
® c E and isogenies ¢: E — E,, given by the association ® < ker ¢. Thus the 
points of H/T,(N) can also be viewed as classifying triples (E, E’, ¢), where 
¢: E — E’ is an isogeny whose kernel is cyclic of order N. 

Finally, we consider the moduli problem associated to the congruence 
subgroup I'(N). If ye T(N) and te H/T(N), then as above one checks that the 
points 1/N and 1/N in C/((Z + Zt) remain invariant under the action of y. 
Thus associated to a point of H/T'(N) is an elliptic curve C/(Z + Zr), together 
with a basis {1/N, t/N} for the group of N-torsion points. However, a point 
of H/I’(N) contains one further piece of information. Recall (III §8) that there 
is a pairing ey on the group of N-torsion points of an elliptic curve. Then one 
can check that 


ef(Z + Zt) =Z + Zy(2). 


ey(1/N, t/N) = e27!/%, 


Thus not only do we get a basis for the N-torsion, but the two points making 


§13. Modular Curves 353 


up that basis pair, via the Weil pairing, to a specific primitive N root of 
unity. 

Now for arithmetic applications, it is important to understand when an 
elliptic curve E/C or a point Te E(C) is defined over some subfield of C, such 
as a number field. For example, although the Riemann surface H/SL,(Z) only 
classifies elliptic curves over C, we have a complex analytic isomorphism 
(C.12.11) 

j: H/SL,(Z) > AY, 


where A! is a variety which is defined over Q. Further, the elliptic curve E, 
corresponding to t¢H/SL,(Z) is isomorphic, over C, to an elliptic curve 
defined over Q(j(t)). There is a general theory which deals with fields of 
definition for the spaces H/T and their associated moduli problems, but we 
will be content with the following description for the three special sorts of 
congruence subgroups considered above. 


Theorem 13.1. Let N > 1 be an integer. 
(a) There exists a smooth projective curve Xo(N)/Q and a complex analytic 
isomorphism 

jn,o 1 H*/To(N) > Xo(N)(C) 


such that the following holds: 

Let teH/T,(N), and let K = Q(jy,o(t)). From above, t corresponds to an 
equivalence class of pairs (E, C), where E is an elliptic curve and Cc Eis a 
cyclic subgroup of order N. Then this equivalence class contains a pair such 
that both E and C are defined over K. (I.e. E is an elliptic curve defined over K, 
and C < E(K) is mapped to itself by Gxjx.) 

(b) There exists a smooth projective curve X,(N)/Q and a complex analytic 
isomorphism 


Jv,1 H*/P,(N) > X,(N)(C) 


such that the following holds: 

Let teH/T,(N), and let K = Q(jy,,(t)). From above, t corresponds to an 
equivalence class of pairs (E, T), where E is an elliptic curve and T€ E is a point 
of exact order N. Then this equivalence class contains a pair such that E is 
defined over K and T€ E(K). 

(c) Fix a primitive N™ root of unity €eC. There is a smooth projective curve 
X(N)/Q(0) and a complex analytic isomorphism 


jy H*/T(N) > X(N)(C) 


such that the following holds: 

Let teH/T(N), and let K = Q(C, jy(t)). As explained above, t corresponds to 
an equivalence class of triples (E, T,, T,), where E is an elliptic curve, and 
{T,, T,} are generators for E[N] satisfying ey(T,, T>) = ¢. (Here ey is the Weil 
pairing. See (III §8).) Then this equivalence class contains a triple such that E is 
defined over K and T,, T, € E(K). 
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Proor. [Shi 1, §6.7]. O 


Remark 13.2. If T is any congruence subgroup of SL,(Z), then one can find in 
a similar manner a smooth projective curve X (I) defined over some number 
field K(T) and a complex analytic isomorphism j,:H*/T > X(T)(C). See 
[Shi 1, $6.7] for details. Recall that the cusps of I are defined to be the image 
of P*(Q) in H*/T. 


Definition. With notation as in (13.2), the curve X(I) is called a modular 
curve. The set of cusps of X(T) consists of the finite set of points j-(P’(Q)/T). 
(Ie. The cusps of X(I) are the image under j, of the cusps of I.) We denote 
the complement of the set of cusps of X([) by Y(I). Y(I) is a smooth affine 
curve. 


Notation. For the congruence subgroups I)(N), T',(N), and '(N) considered 
in (13.1), the curve Y(I) is usually denoted by Y(N), Y,(N), and Y(N) 
respectively. 


Example 13.3. Let N be an odd prime. Then X)(N) has two cusps, both of 
which are rational over Q (i.e. in X)(N)(Q)). Similarly, X,(N) will have N — 1 
cusps; but now only half of the cusps will be in X,(N)(Q). The other 3(N — 1) 
cusps of X,(N) are defined over the maximal real subfield of Q(¢,). 


Example 13.4. The curve X,(7) is isomorphic to P!. To make this precise, we 
can associate to each point [t, 1]¢P? the pair (E,, P,), where E, is the curve 
(defined over Q(t)) given by the equation 


E,:y+(i+t—t)xy+(? — jy = x3 + (7 — 3)x?, 


and P,cE, is the point P, = (0,0). The curve E, will be an elliptic curve 
provided that the discriminant 


A(t) = t7(t — 1)7(t8 — 8t? + 5t + 1) 


does not vanish. Further, if A(t) 40, then one easily checks (using the 
addition law) that [7] P, = 0. The curve X,(7) has six cusps, corresponding to 
the values t = 0, t = 1, t = 00, and the three roots of t? — 817 + St +1=0. 
The reader may verify that each of these latter three roots generates the 
maximal real subfield of Q(¢,), thereby verifying (13.3) in this case. 


Remark 13.5. To illustrate one application of modular curves, we use them to 
rephrase conjecture (VIII.7.7). That conjecture says that for every number 
field K, there is an integer N(K) such that for every elliptic curve E/K, E(K) 
has no torsion points of order greater than N(K). Notice that if E(K) has a 
point P of order N, then the pair (E, P) corresponds to a non-cuspidal point 
of X,(N)(K). (ie. a K-rational point of the modular curve X,(N)). Thus 
(VIII.7.7) is equivalent to the statement that for any number field K, the set of 
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rational points X,(N)(K) consists entirely of cusps for all sufficiently large N. 
The question of rational torsion points on elliptic curves is thus transformed 
into the question of rational points on modular curves. It is this idea which 
provides the starting point for the results of Mazur (VIII.7.5) and Manin 
(VIII.7.6). 


Some modular curves are actually elliptic curves themselves. For example, 
the curve X,(11) has genus 1; and since it has two cusps defined over Q (13.3), 
we can use one of the cusps to make X,(11) into an elliptic curve. Now an 
elliptic curve such as Xp(11) has a lot of additional structure, due to the fact 
that it is a modular curve; and it is possible to use that extra information to 
study the arithmetic of X,(11). Unfortunately, the genus of X,(N) grows 
(slightly irregularly) with N, so there are only finitely many curves X)(N) of 
any given genus. However, it sometimes happens that there is a map 
@: X(N) > E, defined over Q, from X(N) onto an elliptic curve E/Q. In this 
case, we say that E is a Weil curve, or that E is parametrized by modular 
functions. Such elliptic curves have a very rich structure, which can be used to 
study their arithmetic properties. We will discuss these curves in more detail 
later (16.4), and will just state here the following (weak) version of the conjec- 
ture of Taniyama and Weil. 


Conjecture 13.6 (Taniyama—Weil). Every elliptic curve defined over Q is a Weil 
curve. (I.e. If E/Q is an elliptic curve, then there exists an integer N and a 
surjective morphism ¢: X9(N) > E defined over Q.) 


References. [B—Sw 2], [Ka—M], [Maz 1], [Maz 2], [Shi 1]. 
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For this section and the next, we let K be a local field, complete with respect 
to a discrete valuation v. Recall that for elliptic curves over C, the existence of 
a lattice A c C and a uniformization E(C) = C/A provides a powerful tool 
for the study of E(C). If one attempts to mimic this construction for K, one is 
immediately stymied, since such a field can have no non-trivial discrete sub- 
groups. However, if A is normalized as Z + Zt, then applying the exponential 
map exp(27i-) to C/A gives a new isomorphism E(C) = C*/q”. Here q = e?**, 
and q@ is the subgroup of C* generated by gq (cf. 12.7). Now the analogous 
situation for K looks more promising, since the multiplicative group K* has 
lots of discrete subgroups, namely those of the form q” with |q|, # 1. Further, 
all of the classical g-expansions for the various elliptic and modular functions 
(cf. §12) will converge in the v-adic case provided that q is chosen to satisfy 
lql, <1. 
For example, consider the elliptic curve (called the Tate curve) 
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E,:y? + xy =x? + a4x + dg 


whose coefficients are given by the power series (considered, for the moment, 
as formal power series in Z[q]) 


1 
a,=-5¥ nq'(l—a") ag = —— ¥ (In + 5n3)q"(1 — @". 
n21 12,54 


The associated discriminant and j-invariant are given by the familiar for- 
mulas from the complex case (see §12) 


1 

A=q[[(-4")** ere eee a 
n21 

(Note that except for the leading term, j¢ Z[q].) Further, the elliptic curve E, 

has the point (in the power series ring Z[q, u]]) defined by 


x = x(u,q) = y, aut —q'uy? —2 yi ngq"/(1 — q") 


y=y4q= » q'ur(l—q"uy? + ¥) ng"/(l — 4"). 
ne n21 
Now one need merely observe that all of the above formulas make sense if 
q and u are taken to be elements of K*, provided that |q|, < 1. In other 
words, the various power series will converge in the v-adic metric. We thus 
obtain a v-adic analytic uniformization 


¢: K*/q* > E,(K) 
u — (x(u, q), yu, 9). 


(Of course, we set ¢(1) = O.) More generally, the power series x(u, q) and 
y(u, q) will converge for any ue K, and so will induce a map 


¢: K*/q”  E,(R). 


(Note that although K will not be v-adically complete, the convergence of the 
power series is taking place in the finite extension K(u). As an alternative, one 
can work in the v-adic completion of K, which turns out to be algebraically 
closed.) 

Another important point to notice is that since the action of Gg/x on K is 
v-adically continuous, this action will commute with the convergence of 
power series. In other words, ¢ is an isomorphism of Gg,x-modules, so it can 
be used to make arithmetic deductions. (In this respect, at least, the non- 
archimedean uniformization is more useful than the corresponding situation 
over C.) 

The uniformization theorem (VI.5.1.1) (combined with the exponential 
map) says that every elliptic curve over C is (analytically) isomorphic to 
C*/q? for some qe C* with |q| < 1. It is clear that this carinot be true over K. 
For examining the power series for j = j(q), we see that |q|, < 1 implies that 
|i(4)|, < 1. Thus every curve E, has non-integral j-invariant. More precisely, 
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the reduction E, of E, modulo v has the Weierstrass equation 
E,:y +xy=x°; 


so E, has split multiplicative reduction at v. 


Theorem 14.1 (Tate). Let K be a field complete with respect to a discrete 
valuation v. 
(a) For every qe K* with |q|, < 1, the map 


: K*/q’ > E,(K) 


described above is an isomorphism of Gx)x-modules. 

(b) For every jo € K* with | jo|, < 1, there is a qe K* with |q|, < 1 such that the 
elliptic curve E,/K has j-invariant jy. E, is characterized by j(E,) = jg and the 
fact that it has split multiplicative reduction at v. 

(c) Let R be the ring of integers of K. Then under the isomorphism E,(K) = 
K*/q", we have the identifications 


(E,)o(K) = R* and (E,),(K) = {ue R*:u = 1 (mod v)}. 


(d) Let E/K be an elliptic curve with non-integral j-invariant which does not 
have split multiplicative reduction. From (b), there is a qe K* such that j(E) = 
j(E,). Then there is a unique quadratic extension L/K such that E is isomor- 
phic to E, over L. Further, 


E(K) = {ue L* : Norm, x(u)eq7}/q7. 


The extension L/K is unramified if and only if E has (non-split) multiplicative 
reduction, in which case the residue field extension of L/K is generated by the 
tangents to the node of the reduction E of E at v. 


ProoF. This was originally discovered by Tate, but never officially published 
by him. Accounts can be found in [Rob, II §5] and [Roq]. 


References. [Rob], [Roq], [La 3, ch. 15]. 
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As in the last section, we let K be complete with respect to a discrete valu- 
ation v, and let R be the ring of integers and k the residue field of K. Let E/K 
be an elliptic curve, and choose a minimal Weierstrass equation for E at v. 
Suppose now that we consider this equation as defining a scheme E over 
Spec(R). The resulting scheme may not be regular (i.e. smooth), for if E has 
bad reduction at v, then the singular point on the special fiber E of E may be 
a singular point of the scheme. By resolving the singularity, one obtains a 
scheme ¢/Spec(R) whose generic fiber is E/K and whose special fiber is a 
union of curves (with multiplicities) over k. 
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Theorem 15.1 (Kodaira, Néron). Let E/K be as above. 

(a) There is a regular projective two-dimensional scheme @/Spec(R) whose 
generic fiber @ X gpeccry Spec(K) is isomorphic (over K) to E/K. Suppose further 
that @ is minimal (i.e., the map @ — Spec(R) cannot be factored as € > €' > 
Spec(R) in such a way that @ Xspeqr) Spec(K) > @’ Xspeccry Spec(K) is an 
isomorphism.) Then @ is unique. 

(b) Let € < @ be the subscheme of @ obtained by discarding all of the singular 
points of the special fiber @ = @ x spec(r) Spec(k). (I.e. We discard all multiple 
fibral components and all intersections of fibral components. Note that these 
are not singular points of @ itself, which is regular.) Then & is a group scheme 
over Spec(R) whose generic fiber & Xspeccry Spec(K) is isomorphic, as a group 
variety, to E/K. & is called the Néron minimal model of E/K. 

(c) The natural map &(R)— E(K) is an isomorphism. (I.e. Every section 
Spec(K) — E on the generic fiber extends to a section Spec(R) > €.) 

(d) Let ® =€ x spec(ry Spec(k) be the special fiber of &.°Then & is an algebraic 
group over k, and we let &°/k be its identity component (so & is an extension of 
&° by a finite group.) Note that there is a reduction map &(R) > &(k). Then 
with the identification 6(R) = E(K) from (c), 


(i) 8% (k) = E,.(k) = Eo(K)/E,(K). 
(ii) &(k)/6°(k) = E(K)/Eo(K). 
Proor. [Né 2]. oO 


Remark 15.1.1. In some sources, @ is called the Néron minimal model of E/K. 
However, for abelian varieties of higher dimension, the Néron minimal 
model always refers to a group scheme analogous to our &, and there is no 
natural analogue of @. The ambiguity for elliptic curves results because the 
minimal model of E, considered as a curve, is @; while the minimal model of 
E, treated as a group variety, is &. 


Notice that (15.1d(ii)) gives a description of E(K)/E)(K) in terms of the 
group of components of a certain algebraic group &/k. It turns out that there 
are only a handful of possibilities for &. More precisely, one can write down 
all of the possibilities for the special fiber @ = @ x spec(ry Spec(k); and then 
one obtains & by discarding all of the components of multiplicity greater 
than 1 and all of the points where components intersect. The results are as 
follows. 


Theorem 15.2 (Kodaira, Néron). With notation as in (15.1), all of the possi- 
bilities for the special fiber @ and the group of components &(k)/&°(k) are given 
in table 15.1. 

Except for the case Ip, each of the pictured components is a rational curve (i.e. 
a copy of P*). Further, A, is the minimal discriminant of E at v, and f, is the 
exponent of the conductor (which is defined below in §18). 
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Table 15.1 


SES RE CED 


= Bk )/8%k) 


ae m= PE EET EE 


Kodaira symbol 


Special fiber © & 
(the numbers 
indicate multi- 


plicities ) 


m = number of 
irreducible 
components 


E(K )/Eg(K) 


Entries below this line are valid only for char(k) = 2,3 


ee a 


f, = exponent of 
conductor = 
ord, (Ay )+1-m 


behavior of j vcazdprdy (=o) Fo | is1728| Teo |v<a)29|°° Sv vi) |js0 fist728| ieo | 


Proor. [Né 2]. oO 


Corollary 15.2.1. The group E(K)/E)(K) is finite. If E has split multiplicative 
reduction, then it is cyclic of order —ord,(j(E)). In all other cases, it has order 
at most 4. 


Proor. The first statement follows from (15.1d). For the second, if E has split 
multiplicative reduction, then E(K) = K*/q* and E(K)/E)(K) = Z/ord,(q)Z 
(14.1ac). Further, ord,(q) = —ord,(j(E)) (cf. §14). Next, if E has non-split 
multiplicative reduction, then one easily checks using (14.1d) that E(K)/E)(K) 
has order 1 or 2. Finally, if E has additive reduction, then the result follows 
by inspection of table 15.1. oO 


Remark 15.3. Note that except when k has characteristic 2 or 3, everything 
about E (i.e. reduction type, exponent of conductor, the group E(K)/Eo(K)) 
can be read off from table 15.1 once one has a minimal Weierstrass equation 
for E. Further, a given Weierstrass equation will be minimal if and only if 
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either ord,(A) < 12 or ord,(c,) < 4 (exer. 7.1a), so in this case it is easy to 
check for minimality. In general, for k of arbitrary characteristic, one can use 
a straightforward (but somewhat lengthy) algorithm of Tate ([Ta 6]) to 
compute the special fiber @, and then read the desired results from the 
corresponding column in table (15.1). 


References. [Né 2], [Ta 6]. 
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The L-series of an elliptic curve is a generating function which records in- 
formation about the reduction of the curve modulo every prime. Known 
results are fragmentary, but conjecturally such L-series contain a large 
amount of information concerning the set of global points on the curve, 
(which may be somewhat surprising, in view of the failure of the Hasse prin- 
ciple for curves of genus 1.) Further, there are intimate relations, both known 
and conjectural, between these L-series and the theory of modular forms. In 
this section we will explain these conjectures and give some of the evidence 
which support their validity. 

Let E/K be an elliptic curve, and let ve My be a finite place at which E has 
good reduction. We denote the residue field of K at v by k,, the reduction of E 
at v by E,, and let g, = #k, be the norm of the prime ideal corresponding to 
v. Recall (V §2) that the zeta function of E,,/k, is the power series 


Z(E,/ko; T) = exp ( Y # Elko Tn), 
(Here ky nis the unique extension of k, of degree n.) Further, we proved (V.2.4) 
that Z(E,/k,; T) is actually a rational function 
Z(E,/ky3 T) = LT — T)(1 — qT), 
where 
L,(T)=1—a,T+ q,T?¢€Z[T] and a,=q,+1— #E,(k,). 


We extend the definition of L,(T) to the case that E has bad reduction by 
setting 


1—T if £E has split multiplicative reduction at v 
L,T)=51+T if E has non-split multiplicative reduction at v 
1 if E has additive reduction at v. 


Then in all cases we have the relation 
L,(1/q,) = # Ens(ke)/4p- 
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Definition. The L-series of E/K is defined by the Euler product 
Lyx(s) = I] L,(q,°)*. 
veM®e 


This product converges and gives an analytic function for all Re(s) > 3. (Use 
the fact (V.2.4) that |a,| < 20/4 .) It is conjectured that far more is true. 


Conjecture 16.1. The L-series Lx)x(s) has an analytic continuation to the entire 
complex plane, and it satisfies a functional equation relating the values at s and 
2-5. 


This conjecture is known to be true for those elliptic curves having com- 
plex multiplication (Deuring [De 3], Weil [We 4]), in which case Lz,,(s) is 
shown to equal a Hecke L-series with Gréssencharacter. It is also known for 
those elliptic curves over @ which are parametrized by modular functions 
(Eichler, Shimura, see below), where L;,q(s) turns out to be the Mellin trans- 
form of a modular form. 

Next we define the conductor of E/K. It is a certain integral ideal of K 
which is the same for isogenous elliptic curves. If ve Mx, the exponent of the 
conductor of E at v is defined by 


0 if E has good reduction at v 
fh=ijl if E has multiplicative reduction at v 
2+6, if E has additive reduction at v, 


where 6, is a measure of the “wild ramification” in the action of the inertia 
group on T,(E) (cf. [Se-T], [Og 3]). In particular, 6,=0 provided 
char(k,) # 2, 3. Further, f, may be computed by using Ogg’s formula. 


Proposition 16.2 (Ogg [Og 3]). Let m, be the number of irreducible components 
(ignoring multiplicities) on the special fiber of the minimal (complete) Néron 
model of E at v (cf. §15). Then 


S, = ord,(Dgx) + 1 —m,. 


(Here Dg)x is the minimal discriminant of E/K.) 


Definition. The conductor of E/K is the integral ideal of K defined by 
Nex = [] pe". 


veMX 


In order to simplify the exposition in the rest of this section, we will now 
restrict attention to the case K = Q. Notice that we can then take the con- 
ductor N; = Ngjg to be a positive integer. Define a new function 


Ex(s) = Ng? (2m) *T(5)L (5). 


Then (16.1) has the following more precise formulation. 
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Conjecture 16.3. The function €,(s) has an analytic continuation to the entire 
complex plane, and it satisfies the functional equation 


E,(s) = wé,(2—s)  withw= +1. 


As noted above, (16.3) is known to be true if E is parametrized by modular 
functions. Weil and Taniyama have conjectured that every elliptic curve over 
Q has this property. More precisely, we have the following. 


Conjecture 16.4 (Taniyama—Weil). Let E/Q be an elliptic curve of conductor 
N, let L,(s) = Xc,n~* be its L-series, and let f(t) = Xc,e?™"* be the inverse 
Mellin transform of Lr. 

(a) f(t) is a weight 2 cusp form for the congruence subgroup T)(N) of SL,(Z). 
(b) For each prime p } N, let T(p) be the corresponding Hecke operator; and let 
W be the operator (Wf )(t) = f(—1/Nt). Then 


T(p)f =c,f and Wf =wf, 


where w = +1 is the sign of the functional equation (16.3). 

(c) Let w be an invariant differential on E/Q. There exists a morphism 
¢: Xo(N) — E, defined over Q, such that $*(q) is a multiple of the differential 
form on X_(N) represented by f(t) dt. 


Weil has shown [We 6] that if L,(s) and sufficiently many of its twists 
satisfy a functional equation as in (16.3), then f(t) is a cusp form for I,(N). 
Shimura ([Shi 2], [Shi 3]) has verified that this holds for elliptic curves with 
complex multiplication. Conjecture (16.4) has also been verified numerically 
for curves of low conductor (cf. [Og 1], [Og 2], and the tables in [B—K]). 

Another important conjecture about the L-series of elliptic curves con- 
cerns their special value at s = 1. Before stating it, we set the following 
notation: 


E/Q an elliptic curve 

@ the invariant differential dx/(2y + a,x + a3) on a global mini- 
mal Weierstrass equation for E/Q. (Cf. VIII §8.) 

Q Jeqe|@| [Either the real period, or twice the real period, depend- 


ing on whether or not E(R) is connected. ] 
I(E/Q) the Shafarevich—Tate group of E/Q. (Cf. X §4.) 
R(E/Q) the elliptic regulator of E(Q)/E,,,,(Q), computed using the 
canonical height pairing. (Cf. VIII §9.) 
# E(Q,)/E,(Q,) [Thus c, = 1 unless E has bad reduction at p. 
See (§15) and (VII §6) for a geometric description of c,.] 


Cp 


Conjecture 16.5 (Birch and Swinnerton-Dyer). (a) L,(s) has a zero at s = 1 of 
order equal to the rank of E(Q). 
(b) Let r = rank E(Q). Then with notation as above, 


Lim (s — 1) "Lz(s) = Q# WI(E/Q)R(E/Q)(# E,.,.(Q))? [] c,. 
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As described by Tate, “this remarkable conjecture relates the behavior of a 
function L at a point where it is not at present known to be defined to the 
order of a group III which is not known to be finite!” There is a great deal of 
evidence for this conjecture, of which we will mention the following. 


Evidence 16.5.1. Conjecture (16.5) has been checked numerically in a large 
number of cases. Since II is not known to be finite, what this means for 
(16.5b) is that the conjecture is used to compute a hypothetical value for I. 
This always turns out to be the square of an integer (as it should, due to the 
existence of the Cassel’s pairing (X.4.14)); and it agrees with the calculated 
value of the 2 and/or 3 primary component of II. (See [B—Sw 1], which 
contains the original numerical evidence, and [Ste].) 


Evidence 16.5.2. Isogenous elliptic curves have the same number of points 
modulo p for all primes p (exer. 5.4), and so they have the same L-series. (One 
must also check the primes of bad reduction.) Consequently, if (16.5b) is true, 
then the quantity 


QO # I (E/Q)R(E/O)(# E,,(Q))"? [] ¢, 


must be an isogeny invariant. This has been verified by Cassels ([Ca 6]), and 
extended to abelian varieties by Tate, in both cases under the assumption 
that Il is finite. It is worth noting that none of the individual terms in the 
product need be the same for isogenous curves. 


Evidence 16.5.3. Coates and Wiles ([(Co—W], see also [Arth], [Ru]) have 
shown that if E/Q has complex multiplication and E(Q) is infinite, then 
L,(1) = 0. 


Evidence 16.5.4. Greenberg ([Gre]) has shown that if E/Q has complex multi- 
plication and L,(1) = 0, then either rank E(Q) > 1, or else II(E/Q)[p®] is 
infinite for a set of primes p of density 4. (This last possibility seems most 
unlikely, to say the least. See also [Roh].) 


Evidence 16.5.5. For certain elliptic curves E/Q which are parametrized by 
modular functions and satisfy L,(1) = 0, Gross and Zagier ((Gr—Z 2]) have 
given a limit formula relating L;,(1) to the canonical height of a certain point 
P €E(Q) (called a Heegner point). In particular, they show that if L,(1) 4 0, 
then E(Q) has rank at least 1; and if it has rank exactly 1, then the equality in 
(16.5b) is true up to multiplication by a rational number. (Le. They show that 
L‘,(1)/QR(E/Q) is a rational number. Notice that in this case there is no need 
to assume that II is finite.) 


References. [Arth], [B—Sw 1,2], [Ca 6], [Co—W], [De 3], [Gre], [Gr—Z 2,3], 
[Og 1,2,3,4], [Roh], [Ru], [Se—T], [Shi 1,2,3], [Ste], [We 4,6]. 
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§17. Duality Theory 


In (X §4) we discussed the bilinear pairing on the Shafarevich—Tate group. 
There is a complementary duality theorem in the local case which goes as 
follows. 


Theorem 17.1 (Tate [Ta 1], [Ta 2]). Let ve My be a non-archimedean absolute 
value, and let E/K, be an elliptic curve. Then there exists a bilinear, non- 
degenerate pairing 


< , ): E(K,) x WC(E/K,) > Q/Z. 


More precisely, if E(K,) is given the v-adic topology and WC(E/K,) the dis- 
crete topology, then < , » induces a duality of locally compact groups. (I.e. The 
pairing < , > is continuous, the continuous homomorphisms E(K,) > Q/Z all 
have the form <:,€> for some €WC(E/K,); and similarly the continuous 
homomorphisms WC(E/K,)—>Q/Z all have the form <P,-> for some 
PeE(K,).) 


The global duality theory is not quite as satisfactory, due to the fact that 
it is not known whether the Shafarevich-Tate group can have divisible 
elements. 


Theorem 17.2 (Cassels [Ca 3], Tate [Ta 2]). Let E/K be an elliptic curve. 
There exists an alternating, bilinear pairing 


I(E/K) x W(E/K) > Q/Z 


whose kernel on either side is precisely the group of divisible elements of I. 


Corollary 17.2.1. If WI(E/K) is finite, or more generally if any p-primary 
component II(E/K)[ p®] is finite, then its order is a perfect square. 


References. [Ca 3], [Se 8], [Ta 1], [Ta 2]. 


§18. Local Height Functions 


In his original construction of the canonical height, Néron ({Né 3]) pro- 
ceeded by constructing a local height pairing for each absolute value ve M;; 
and then he formed the (global) canonical height by taking the sum of the 
local heights. A nice exposition of this theory for elliptic curves was given by 
Tate ((Ta 4]) and published in [La 5]. The theory of local height functions is 
important in the study of the more delicate properties of the canonical height. 
(See, for example, [Gr—Z 2] or [Sil 1].) It is also useful for numerical compu- 
tation of the canonical height of points on elliptic curves. 
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Theorem 18.1. Let ve Mx, and let E/K, be an elliptic curve given by a Weier- 
strass equation 


E:y? + a,xy + ayy = x? + a,x? + agx + dg. 
There is a unique function 
dy: E(K,) — {0} > R, 
called the local height function for E at v, with the following properties: 


(i) A, is continuous for the v-adic topology on E(K,) and the usual topology 
on R. 
(ii) Limit (A,(P) + 4v(x(P))) exists, where P > O in the v-adic topology. 
P+0 


(iii) For all Pe E(K,) with [2]P 4 O, 
A,([2]P) = 44,(P) + v(2y(P) + a,x(P) + a3) — 40(A). 


(Here A is the discriminant of the given Weierstrass equation.) 
Further, property (iii) may be replaced by the “quasi-parallogram law” 
(iii’) For all P, QE E(K,) with P,Q, P+ Q #40, 


A(P + Q) + A,(P — Q) = 24,(P) + 24,(Q) + v(x(P) — x(Q)) — gv(A). 
Remark 18.1.1. Note that the function /, in (18.1) does not depend on the 


choice of Weierstrass equation for E, because the conditions (i)-(iii) are 
invariant under change of coordinates. 


Theorem 18.2. Let E/K be an elliptic curve. Then for all points Pe E(K) — {0}, 
the canonical height h(P) is given by 


1 
h(P) = [K:Q] oe n,A,(P). 


There are explicit formulas for the local height function in all cases, but we 
will be content with the following statement. 


Theorem 18.3. Let E/K be an elliptic curve and ve Mx. 


(a) Case I. v archimedean 7 

Choose a lattice A < C and an isomorphism E(K,) = C/A. Let o(z, A) be the 
Weierstrass o-function, and let A(A) and n: C > R be as in (exers. 6.6 and 6.4). 
If Pe E(K,) corresponds to zEC/A, then 


A,(P) = —log|A(A)"7e-" o(z, A)lo: 


(b) Case II. v non-archimedean and P € E)(K,) 
Let x and y be coordinate functions on a minimal Weierstrass equation for E at 
v. Then 


A,(P) = max { —4v(x(P)), 0} + pyv(A). 
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(c) Case III. v non-archimedean, E has split multiplicative reduction at v, and 
P¢E,(K,) 
Fix an isomorphism E(K,)/E,(E,) = Z/NZ, where N = —ord,(j(E)) (cf. 
VII.6.1). Suppose that PeE(K,) corresponds to neZ/NZ for some 
1<n<N—1. Then 
4,(P) = —3B,(n/N)v(j(E)), 


where B,(T) = T? — T + 1/6 is the second Bernoulli polynomial. 


Remark 18.3.1. There are also formulas for 4,(P) in the other cases of bad 
reduction; but note that in any case, one can always apply (18.3) after replac- 
ing K by some finite extension (VII.5.4c). 


References. [La 5], [Né 3]. For a reformulation (and generalization) in terms 
of arithmetic intersection theory, see for example [Chi] or [Fa 2]. 


§19. The Image of Galois 


Let E/K be an elliptic curve defined over a number field, and let 7 be a prime. 
Many of the arithmetic properties of E are determined by the /-adic repre- 
sentation 

pe: Ggx > Aut(T;(E)). 


Two of the most important results concerning p; are the following. 


Theorem 19.1 (Serre [Se 5], [Se 6]). Assume that E does not have complex 
multiplication. 


(a) The image of p; is of finite index in Aut(T;(E)) for all primes ¢. 
(b) The image of p; equals Aut(T,(E)) for all but finitely many primes ¢. 


Theorem 19.2 (Faltings [Fa 1]). Let E/K and E'/K be elliptic curves. Then the 
natural map 


Hom,(E, E’) @ Z; > Hom,(T,(E), T(E’) 
is an isomorphism. (Here the right-hand side is the group of Z,-linear homomor- 
phisms from T,({E) to T,(E') which commute with the action of Gg)x. Note that 


we proved injectivity in (III.7.4); the real difficulty lies in showing that the map 
is surjective.) 


References. [Se 5], [Se 6], [Fa 1]. 
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§20. Function Fields and Specialization Theorems 


Let V/K be a variety defined over a number field. Then we can consider 
elliptic curves defined over the function field K(V). These will be curves given 
by a Weierstrass equation 


E:y? + a,xy + a3y =x? + a,x? + agx + dg, 


where a,,..., ag € K(V). Now for almost all points teé V (i.e. outside of some 
proper subvariety of V), all of the functions a,,..., ag will be defined at t. We 
will then be able to define a specialization of E by 


E,: y? + a,(t)xy + a3(t)y = x3 + a,(t)x? + ag(t)x + a,(t). 


Similarly, if P = (x, y)e E(K(V)), then the functions x, ye K(V) will be de- 
fined for almost all te V, and so we can specialize P to a point 


P, = (x(t), yO)e E,. 


Now it is a fact (although we did not prove it) that the group E(K(V)) is 
finitely generated. (I.e. The Mordell—Weil theorem holds in this case.) Thus 
by choosing a finite set of generators for E(K(V)), we can define (for almost 
all choices of te V) a specialization homomorphism 


o,: E(K(V)) > E,. 


Note further that if t¢V(K), then the image of o, lies in E,(K). By using a 
generalization of Hilbert’s irreducibility theorem, Néron proved that the 
specialization homomorphism is frequently injective. 


Theorem 20.1 (Néron [Né 1], [La 7, ch.9]). Let E be an elliptic curve defined 
over the field K(P"). Then there are infinitely many points te P"(K) for which 
the specialization homomorphism 


o,: E(K(P")) > E,(K) 


is injective. 


Corollary 20.1.1. There exist infinitely many elliptic curves E/Q such that E(Q) 
has rank at least 10. 


Remark 20.2. In order to use (20.1) to produce curves E/Q with large rank, 
one must find elliptic curves over Q(T,,..., T,) with large rank. Taking 
n= 18 and letting C/Q(T,, ..., T,3) be the cubic curve passing through the 
nine points (T,, T),...,(T,7, T;g), it is not hard to show that the Jacobian of 
C has rank (at least) 9. To obtain rank 10 (as in [Né 1]), one must do some 
additional work. There are other methods which have now been used to find 
specific elliptic curves over @ with even larger rank ([Mes 1], [Mes 2]), but 
these methods do not give infinite families of such curves. 
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In the case that the variety V is a curve, Néron’s theorem (20.1) can be 
strengthened as follows. 


Theorem 20.3 (Silverman [Sil 3], [La 7, ch.12]). Let C/K be a curve, and let E 
be an elliptic curve defined over the function field K(C). Then the specialization 
map 

g,: E(K(C)) > E, 


is (well-defined) and injective for all but finitely many points te C(K). (More 
generally, it is injective for all but finitely many points of U C(L), where the 
union is over all fields L/K whose degree is bounded by a fixed number.) 


References. [La 7], [Né 1], [Sil 3], [Sil 5], [Ta 8]. 


Notes on Exercises 


Many of the exercises in this book are standard results which were not 
included in the text due to lack of space; while others are special cases of 
results which appear in the literature. The following list thus serves two 
purposes: it is an attempt by the author to give credit for the theorems which 
appear in the exercises, and an aid for the reader who wishes to delve more 
deeply into some aspect of the theory. However, since any attempt to assign 
credit is bound to be incomplete in some respects, the author herewith ten- 
ders his apologies to anyone who feels that they have been slighted. 

Except for an occasional computational problem, we have not included 
solutions (nor even hints). Indeed, since it is hoped that this book will lead the 
student on into the realm of active mathematics, the benefits of working 
without aid clearly outweigh any advantage that might be gained by having 
solutions readily available. 


CHAPTER I 


(1.1) (a) B(A? — 27B)=0 (b) 4A? + 27B? =0 
(1.2) (a) ©,0) (b) 0,0) (© (0,0) (d) (0,9, 1) 
(1.3) [Har, 1.5.1] 

(1.5) (b) P; = (—8/9, 109/27) 

(1.7) (b) ¥=[¥%X] (©) No 


CHAPTER IT 


(2.1) [A-—M, prop. 9.2] 
(2.4) (b) [La 6, lemma, page 7] 
(2.5) [Har, I1.6.10.1] and [Har, IV.1.3.5] 
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(2.6) This volume (ITI §3). 
(2.9) This example is due to Hurwitz [Hur]. See also [Ca 7, §22]. 
(2.11) This proof of Weil reciprocity is due to E. Kani. 


CHAPTER III 


(3.4) P, = —[2]P, + P3, Py = Py — P3, Ps = —[2]P,, Po = —P, + [2] P3, 
P, = [3]P, — Ps 

(3.6) [Har, IV.3.2(b)] 

(3.7) [Ca 1], [Ca 7, lemma 7.2], [La 5, II thm. 2.1] 

(3.8) (b) This volume (VI §6). 

(3.9) [Rob, II.1.2.4], [Rob, 11.2.9] 

(3.13) [Mum, II §7 page 66] 

(3.18) (d) [De 1] 

(3.20) [Shi 1, prop. 4.11] 

(3.21) [Har, IV §4] 

(3.23) This volume (A.1.3). 


CHAPTER IV 


(4.1) (a) [Fro 2, 1 §3 prop. 1] 
(4.2) (b) [Haz, thm. 1.6.1] 
(4.4) [Fro 2, IV §2, thm. 2] 


CHAPTER V 


(5.3) [Har, C.4.1] 

(5.4) (a) Due to F. K. Schmidt. See [Ca 7, lemma 15.1]. (b) [Ta 7] 

(5.8) [Mum, thm. page 217] 

(5.11) This proof of a weak version of [Se 11, §4.3] was suggested by Serre. 


CHAPTER VI 


(6.3) (d) [Wh-Wa, ch. XX, misc. ex. 33] 

(6.4) (a)-(e) [Ahl, ch. 7 §3.2], [Wh—Wa, ch. XX], [La 5, ch. I §6] 
(f) [La 5, ch. I §7]. (Log |G(z)| is a Green’s function.) 

(6.8) For more information about complex multiplication and class field 
theory, see (C §11) and the references listed there. 

(6.11)-(6.13) The literature on elliptic integrals is vast. A nice summary may 
be found in [Wh—Wa, ch. XXII]. 

(6.14) [Cox] 


CuapTer VII 


(7.2) [Ta 6, §3] 
(7.4) [Ta 6,84] 
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(7.9) [Se-T, thm. 2 and corollaries] 

(7.10) For more on complex multiplication, see (C §11) and the references 
listed there. 

(7.11) This volume (A.1.4). 


CHAPTER VIII 


(8.2) This volume (X.6.1b). 

(8.3) This problem was suggested by D. Rohrlich. 

(8.6) [La 7, ch. 3, prop. 1.1] 

(8.7) [Scha] 

(8.9) [La 7, page 54] 

(8.11) [Ca 7, thm. 17.2] 

(8.12) One example of each group allowed by (VIII.7.5). 
(8.14) (a), (b) [Set] (d) [Sil 6] 

(8.15) Due to Tate. See [Og 1]. 

(8.17) (c) [Sil1] (d) [Ol1s] 

(8.18) Due to Dem’janenko and Zimmer. See [La 9] and [Zi]. 


CHAPTER IX 


(9.3) (b) [Mah], [Sil 4] 

(9.5) [Le-M] 

(9.6) Due to A. Thue. 

(9.7) [Se 5, IV §2] 

(9.8) [La 7, ch. 5 §7] 

(9.10) [Dan] 

(9.11) [Mo 4, ch. 26] 

(9.13) This argument appears in an unpublished letter from Tate to Serre. 
One can also do (c) and (d) directly [Mo 4, ch. 27, thm. 2]. 
(d) 2:3 =1-2-3 14-15=5-6°7 


CHAPTER X 


(10.2) [We 5] 

(10.3) This is due to Chatelet. See [Ca 7, thm. 11.1]. 

(10.4) (c) [Ca 7, cor. to lemma 10.3] 

(10.6) [Ca 7, thm. 15.1] 

(10.8) [La—Ta] 

(10.9) (a) [Mo 4, ch. 16, thm. 6] 

(10.10) [Ca 2] 

(10.11) (c), (d) Due to Lang—Tate and Shafarevich. See [Ca 7, lemma 12.2]. 
(e) [Ca 3.5] 
(f) [Ca 2] 

(10.19) (d) Due to Fueter [Fue]. 
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Z1(G,M) 
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Inf 
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bounded function, 215 

logarithmic height function, 215 

height function associated to a rational function, 215 
discriminant of a minimal equation at v, 224 
minimal discriminant of a elliptic curve, 224 
ideal of a Weierstrass equation, 224 

Weierstrass ideal class of an elliptic curve, 224 
canonical (Néron—Tate) height on an elliptic curve, 228 
Néron-Tate pairing, 229, 232 

elliptic regulator, 233 

L-series of an elliptic curve, 234 

number of prime divisors of N, 236 

number of points of bounded height, 236 
Riemann zeta function, 236 

Segre embedding, 236 

d-uple embedding, 237 

approximation exponent, 243 

v-adic distance from P to Q, 245 

exponent for linear forms in logarithm, 257 

size of a, 258 

S-regulator homomorphism, 258 

group of locally-away-from-S m'"-powers, 278 
group of isomorphisms of C, 284 

group of K-isomorphisms of C, 284 

set of twists of C, 284 

twist of a function field by a cocycle, 286 

action of an elliptic curve on a homogeneous space, 288 
subtraction map on a homogeneous space, 288 
Weil—Chatelet group of an elliptic curve, 290 
kernel of an isogeny, 296 

decomposition group at v, 296 

¢-Selmer group of an elliptic curve, 297 
Shafarevich-Tate group of an elliptic curve, 297 
group of unramified cohomology classes, 299 
relative Selmer group, 305 

rational point group, 305 

Cassels’ pairing on the Shafarevich—Tate group, 306 
twists of an elliptic curve, 307 

number of prime divisors of D, 310 

dimension of an F, vector space, 310 

Legendre symbol, 317 

group of G-invariants, 330 

zero" cohomology group, 330 

group of one-cochains, 331 

group of one-cocycles, 331 

group of one-coboundaries, 331 

restriction map on cohomology, 332 

inflation map on cohomology, 332 

group of continuous one-cocycles, 334 


To(N), P(N), P(N) 
X(N), X1(N), X(N) 
X(I) 

Y(I) 

Yo(N), ¥,(N), ¥(N) 


maximal abelian extension of Q, 338 
ideal class group of &, 339 
Hilbert class field of #, 339 


Frobenius for p, 341 


maximal abelian extension of %, 341 


Weber function, 341 
upper half-plane, 343 


lattice generated by 1 and 1, 343 


Eisenstein series, 343 


discriminant function, 343 
j-invariant function, 343 


modular group, 343 


fundamental domain for H/SL,(Z), 343 


exp(2zit), 344 


Riemann zeta function, 345 


divisor function, 345 


Ramanujan function, 345 
Dedekind eta function, 346 
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transformation factor for Dedekind eta function, 346 


cyclic group generated by q, 346 

space of modular forms of weight 2k, 347 
space of cusp forms of weight 2k, 347 
graded ring of modular forms, 347 


Hecke operator, 347 


eigenvalue for Hecke operator, 348 
extended upper half plane, 349 
congruence subgroups, 350 


modular curves, 353 
modular curve, 354 
modular curve, 354 
modular curves, 354 
Tate curve, 356 


curve over Spec(R), 357 
Néron model of an elliptic curve, 358 
special fiber of € and @, 358 


identity component of special fiber of &, 358 
exponent of the conductor of an elliptic curve, 358, 361 


local factor of an L-series, 360 

L-series of an elliptic curve, 361 

measure of wild ramification, 361 
conductor of an elliptic curve, 361 
normalized L-series of an elliptic curve, 361 


sign of the functional equation (equals +1), 362 
(real) period of an elliptic curve defined over Q, 362 
order of the group of components modulo p, 362 


local height function, 364 

second Bernoulli polynomial, 366 
specialization of an elliptic curve, 367 
specialization of a point, 367 
specialization homomorphism, 367 
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Abelian extension, 95, 188, 193, 194, 
196, 236, 299, 338, 339, 341, 342 
Abelian group, 4, 55, 88, 131, 174, 197, 
199, 323, 330, 333 
Abelian variety, 2, 94, 295, 342, 358, 363 
Absolute values (Mx), 189, 243, 277 
archimedean (M°), 189, 250 
non-archimedean (MQ), 189 
standard, 190, 206 
valuation associated to (ord,), 189, 
195 
Addition formula, 58, 80, 81, 82, 106, 
110, 187, 202, 216 
formal, 114 
Addition law, see Group law 
Additive reduction, see Reduction of an 
elliptic curve 
Affine algebraic set, 6 
Affine coordinate ring, 7, 20 
Affine n-space, 5, 8 
Affine variety, 7, 13, 26, 44 
Affine Weierstrass equation, 46, 241 
Algebraic group, 333, 336, 358 
Algebraic set, see Affine algebraic set; 
Projective algebraic set 
Analytic continuation, 361, 362 
Analytic map, see Complex analytic 
map; v-adic analytic map 
Approximation exponent, 243, 244 


Arclength 

of an ellipse, 146, 149, 169 

of a lemniscate, 169 
Arithmetic-geometric mean, 169-170 
Arithmetic intersection theory, 366 
Artin, E., 130 
Artin, M., 134 
Artin map, 340, 342 
Artin—Schreier extension, 329 
Associative law for 

an elliptic curve, 55, 57 

a formal group, 115, 120 

a homogeneous space, 288 
Automorphism group (Aut), 71, 103, 

107, 284, 306-309, 325, 329, 341 

action on WC group, 319 

as a Gx)x-module, 103, 308 

of Tate module, 95, 366 
Auxiliary polynomial, 270 


Bad reduction, see Reduction of an 
elliptic curve 

Baker, A., 257, 261, 340 

Baker’s theorem, 257, 260 

p-adic version, 261 

Basepoint of an elliptic curve, 42, 45, 46, 
306 

Bernoulli polynomial, 366 


386 


Bezout’s theorem, 55 

Big-O notation, 166, 215 

Bilinear pairing, 88, 131, 191, 229, 232, 
278, 306, 319, 323, 364 

Birational, 53 

Birch and Swinnerton-Dyer conjecture, 
234, 315, 362, 363 

Branch cut, 148, 149, 168, 346 

Brauer group, 102, 108 

Brauer—Hasse—Noether theorem, 102, 
321 

Brauer-Siegel theorem, 269 

Bremner, A., 235 


Canonical divisor, 37—40 
Canonical height, see Height; see also 
Néron—Tate pairing 
Cassels, J. W. S., 177, 231, 235, 306, 
363, 364 
Cassels’ pairing, 306, 315, 363 
Cauchy—Schwarz inequality, 131 
Cauchy sequence, 228 
Central simple algebra, 102 
Chain rule, 120 
Character, 132 
sum over a finite field, 132, 141 
Characteristic 
p, 89, 126-128, 130-145 
two and three, 49, 52, 53, 72, 103, 
324-329 
zero, 83, 89, 102, 105, 121, 122, 125, 
146, 164, 165, 177, 194 
Characteristic polynomial, 135 
Chatelet, F., 371 
Chinese remainder theorem, 225 
Class field theory, 188, 338, 370 
Class number, 167, 194, 238, 269 
one, 226, 227, 238, 264, 265, 321, 340 
Coates, J., 261, 363 
Cohomologous one-cocycles, 285, 331, 
334, 336 
Cohomology class, 198, 199, 285, 331 
unramified, 198, 236 
Cohomology group, 291, 330-337 
Cohomology set, 285, 306, 336 
Complementary modulus, 168 
Complete elliptic integral, 168—170 
Complete ring, 112, 117-119, 123, 125 
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Complex analytic 
isomorphism, 105, 150, 158, 161, 162, 
262, 340, 342, 346, 349, 353, 354 
map, 159, 161, 163 
Complex Lie group, see Lie group 
Complex multiplication, 73, 95, 109, 
144, 168, 263, 265, 273, 338-342, 
361, 362, 363, 366, 370, 371 
for curves over Q, 340 
=> potential good reduction, 181, 188 
Composition law, 55, 60 
Conductor 
of an elliptic curve, 358, 359, 361, 362 
of an order, 108 
Congruence subgroup, 350-351, 353, 
354, 362 
Connecting homomorphism, 197, 198, 
199, 277, 278, 300, 319, 332, 334 
Constant map, 25 
Continuous map, 187, 334, 336 
Continuous one-cocycle, 334, 336 
Convex set, 231 
Coordinate functions, see Weierstrass 
coordinate functions 
Coplanar points, 106 
Cotangent space, 159 
Curve, 21-44 
distance function on, 245—247 
hyperelliptic, 26, 44, 255, 293 
maps between, 23-30 
modular, see Modular curve 
smooth, see Non-singular curve 
twists of, 284—287 
Cusp, 49, 50, 60, 61, 104, 180, 240, 349, 
350 
of a congruence subgroup, 350, 354 
Cusp form, 344, 345, 347, 348 
for a congruence subgroup, 350, 
351 
of weight two, 350, 351, 362 
Cyclotomic representation, 92 


d-uple embedding, 237 
Davenport, H., 268 
Decomposition group (G,), 296 
Dedekind y-function, 346, 350 
Dedekind sum, 346 

Defined at P, 9, 15, 16, 22, 35 
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Defined over K, 6, 11, 14, 15, 21, 31, 40, 
46, 57, 60, 63, 71, 94, 208, 287, 
289, 300 
Definite quaternion algebra, 100 
Degree, see also Inseparable degree; 
Local degree; Separable degree 
of an algebraic number, 242, 243 
of a curve, 106 
of a divisor, 31, 32, 152 
of an endomorphism, 134, 265 
of a homogeneous polynomial, 10 
of an isogeny, 70, 76, 88 
of a map, 25, 42, 246 
of a morphism, 208 
of multiplication-by-m map, 86, 89, 
105, 106, 107, 163 
one, 25, 53, 64, 105, 290 
of the zero isogeny, 70 
Degree map, is positive definite, 88, 131 
Dehomogenization, 13, 27, 62 
Deligne, P., 134, 348 
Dem’janenko, V. A., 371 
Descent, 189, 199 
theorem, 199, 205, 206 
via two-isogeny, 302, 303, 311 
via [2]-map, 281, 282 
Determinant, 134 
Deuring, M., 102, 144, 145, 361 
Deuring normal form, 109, 327 
Differential form, 34-37 
associated divisor, 36 
associated to a cusp form, 350, 362 
holomorphic, 36, 37, 39, 44, 52, 159, 
329, 350 
invariant, 48, 52, 65, 79-84, 85, 113, 
149, 172, 362 
non-vanishing, 36, 52, 159 
order at P, 36 
regular, see Differential form, 
holomorphic 
Differential operator, 143, 270 
Dimension, 8, 14, 18, 21, 133, 295 
of a hypersurface, 20 
Dimension theorem, 19 
Diophantine approximation, 241, 242- 
245, 247, 251-254, 265, 274 
Diophantine equation, 1, 12, 241, 244, 
249, 257, 291 
Diophantine geometry, 1, 6, 17, 45 
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Diophantine inequality, 245 
Dirichlet, G. L., 242 
Dirichlet series, 234, 240; see also L-series 
Dirichlet’s S-unit theorem, 195, 253, 
255, 258 
Discrete Gg,x-module, see Ggx-module 
Discrete topology, 333, 334, 336, 364 
Discrete valuation, 192 
ring, 21, 22, 42, 123-126, 171 
Discriminant 
of a lattice, 158, 167, 342, 343, 365 
minimal (A,, Bz/x), 172, 183, 186, 
224, 227, 233, 235, 239, 264, 358, 
359, 361 
as a modular form (A(z)), 343, 345, 
347, 348, 356 
of a number field, 232, 235, 269 
of a polynomial, 26, 44, 51, 158, 273 
of a Weierstrass equation, see Weier- 
strass equation, discriminant 
Disjoint support, see Support of a 
divisor 
Distance function, 245—247, 248, 250, 
251 
effect of a finite map, 246 
Distributive law, 71 
Divisible element, 306, 364 
Division polynomial, 105, 177 
Divisor, 31-34 
associated to a differential, 36 
associated to a function, 32, 153, 280, 
295 
associated vector space (F(D)), 38, 
40, 42, 64, 66, 104, 106 
canonical, 37-40 
defined over K, 31, 40, 44, 68 
degree, 31, 38, 152 
degree 0, 31, 32, 152 
of a differential, 36 
evaluated at a function, 43, 108 
group (Div), 31, 37, 44, 66, 68, 84, 
152, 295, 321 
inequality, 38 
linear equivalence, 32, 38, 65 
positive (effective), 37, 322 
principal, 32, 67 
support, 43, 108 
Divisor class group, 32; see also Picard 
group 
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Divisor function, 345 
Dual isogeny, 73, 74, 84-90, 168, 301, 
302, 310 
is adjoint for Weil pairing, 98 
definition, 86 
of Frobenius, 137 
of multiplication-by-m, 86 
Duality, 364 
Duplication formula, 59, 72, 104, 203, 
217, 221, 222, 310 
Dwork, B., 134 
Dyson, F., 244, 270 


E/E , 183-185, 187, 358, 359 
Effective divisor, see Divisor 
Effectivity, 196, 201, 241, 245, 248, 250, 
252, 254-263, 271, 276, 279, 304 
Eichler, M., 145, 361 
Eigenfunctions, 348, 351 
Eisenstein series, 153, 342-345, 347 
Elimination theory, 211 
Ellipse, 1, 146, 149, 169 
Elliptic curve, 2, 14, 21, 45-368 
in characteristic two and three, 49, 52, 
53, 72, 324-329 
defined over K, 46, 63, 71, 307 
definition, 63 
group of rational points is a sub- 
group, 57 
group of rational points over 
C, 146-170 
finite fields, 60, 130-145, 323 
local fields, 171-188, 355-357 
number fields, 189-240, 276-323 
R, 48, 167, 275, 362 
integral points, 59, 241-275 
K-isomorphism classes, 308 
Elliptic exponential, 262 
Elliptic function, 3, 146, 150-159, 161, 
346, 355; see also Weierstrass 
go-function 
field, 76, 150, 154 
as function of g and g’, 154 
no poles => constant, 151, 160 
as product of o-functions, 156 
Elliptic integral, 146, 147-150, 168-170, 
370 
Elliptic logarithm, 262—263 
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Elliptic regulator, 233, 234, 362 
is positive, 233 
Elliptic surface, 143, 368 
€,-pairing, see Weil pairing 
E,, 187 
Endomorphism ring (End), 71, 100-102, 
103, 109, 134, 163, 168, 339-341 
classification of, 102, 137, 145, 164, 
165 
is an integral domain, 72, 88, 100 
é,-pairing, 107; see also Weil pairing 
Equivalence 
of categories, 26, 162 
of homogeneous spaces, 290, 291 
Euclidean algorithm, 1, 204 
Euler characteristic, 134, 136, 144 
Euler product, 240, 361 
Even function, 59, 154, 155, 216, 218- 
220, 227-229, 247, 248 
Evertse, J.-H., 254 
Exponent 
of the conductor of an elliptic curve, 
358, 359, 361 
m, Galois group with, 193, 194, 196, 
236, 299 
Exponential of a formal group, 121 
Extended upper half-plane (H*), 349- 
351, 353, 354; see also Upper 
half-plane 
Extension formula, 206 


Faltings, G., 94, 266, 366 

Families of elliptic curves, 223, 234, 238, 
276, 309, 323 

Fermat, P., 266 

Fermat’s last theorem, 7 

Fiber, 184, 357-361 

Finitely generated group, 189, 199, 200, 
201, 220, 241, 254 

Finite map, 25, 75 

1 cohomology group, see H! 

Fixed field, 286. 

Formal addition law, 114 

Formal derivative, 120 

Formal group, 110, 115—129, 177 

additive group (G,), 116, 118, 119, 

124, 126 
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associated group, 117-119, 123-126 
associated to an elliptic curve (£), 
115, 116, 118, 121, 128, 137, 174, 
176, 177, 183, 184 
associative law, 115, 120 
in characteristic p, 126-128 
in characteristic 0 is commutative, 122 
defined over R, 115 
exponential (expg), 121-123, 126 
height, 126, 129, 137 
homomorphism, 115, 120, 126 
invariant differential, 119-121, 122, 
127 
isomorphic, 116, 122 
law, 115, 117, 120, 129 
logarithm (logs), 121-123, 124, 126, 
184 
multiplication-by-m map, 116 
multiplication-by-p map, 120 
multiplicative group (G,,), 116, 118, 
119, 121 
non-commutative, 129 
over a DVR, 123-126 
torsion of, over Z,, 124 
torsion points, 118, 123, 124, 126, 
129, 177 
Fourier coefficients, 345 
Fourier series, 344, 345, 355, 356 
Fractional ideal, 33, 237, 341 
Free product of groups, 343 
Frobenius element, 341 
Frobenius (endo)morphism, 19, 29-31, 
74, 83, 85, 89, 128, 131, 135, 137, 
141, 145, 320 
characteristic polynomial, 135 
degree of, 30 
dual of, 137 
1—, is separable, 83, 131 
is purely inseparable, 30 
Fueter, R., 339, 371 
Function 
analytic, 342 
defined at P, 9, 15, 22, 35 
defined by a rational map, 24, 33, 215 
elliptic, see Elliptic function 
even, 59, 154, 155, 216, 218-220, 227- 
229, 247, 248 
modular, see Modular function 
no poles = constant, 22, 151, 160 
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odd, 155, 219 
value at a divisor, 43, 108 
Function field, 7, 14, 15, 21, 26 
as base field, 367-368 
elliptic, see Elliptic function field 
map induced on, by rational map, 24, 
286 
twisted by a cocycle, 286, 287, 293, 
309 
Functional equation, 134, 136, 137, 144, 
361, 362 
Fundamental domain, 232, 233, 243 
Fundamental parallelogram, 150-152, 
262 
area of, 166 
boundary of, 151 
closure of, 150 


G-module, 330-333 
exact sequence of, 331 
homomorphism, 330 
G-invariant element, 330, 334, 336 
Gx)x acting on 
affine coordinate ring, 7, 20 
affine space, 6 
an algebraic group, 295, 333, 336 
Aut(£), 103 
divisor group, 31 
function field, 7, 32 
LD), 40 
maps, 15, 20, 284—286 
Picard group, 32, 295 
projective space, 10, 20 
Tate curve, 356, 357 
Tate module, 91, 94, 95, 109, 178, 
179, 188, 273, 341, 366 
torsion points, 90, 178, 179, 265 
twisted function field, 286, 287, 309 
varieties, 6 
vector space, 40 
Gx x-module, 197, 198, 295, 298, 333- 
337, 356, 357 
invariant elements, 334 
unramified at v, 198 
GAGA, 163 
Galois cohomology, 197, 198, 296, 321, 
333-337 
Gauss, C. F., 170, 316, 318 


390 


Gelfond, A. O., 244, 256, 257, 270 
General linear group (GL,), 44 
Generic fiber, 184, 357, 358 
Genus, 21, 39, 41, 79, 104, 252, 266, 
284, 295 
formula, see Hurwitz genus formula 
of a hyperelliptic curve, 44 
of a modular curve, 351, 355 
one, 2, 21, 40, 42, 44-46, 63-66, 104, 
108, 109, 248, 256, 261, 294, 319- 
321, 351, 360 
of P!, 39 
of a quotient curve, 79, 107 
of a smooth plane curve, 43 
zero, 2, 39, 42, 64 
Global minimal Weierstrass equation, 
see Weierstrass equation 
Good reduction, see Reduction of an 
elliptic curve 
Graded ring, 111, 347 
Gram-—Schmidt, 274 
Greenberg, R., 263 
Green’s function, 370 
Gross, B., 363 
Grothendieck, A., 134 
Group associated to a formal group, see 
Formal group 
Group cohomology, 3, 191, 196, 277, 
330-337; see also Galois 
cohomology 
non-abelian, 335-336 
Group law on an elliptic curve, 55, 57, 
58, 60, 65, 80, 81, 354 
effect on height, 216 
is a morphism, 68 
Group scheme, 184, 358 


®, 3, 330-337 
H', 3, 197, 198, 330-337 
= Hom if trivial action, 331, 334 
of Aut(E), 307-309, 319, 322, 329 
of E, 197, 287, 291, 294, 296, 297, 
307; see also Weil—Chatelet group 
of E[m], 197, 287, 320; see also Selmer 
group 
of E[@], 296-300; see also Selmer 
group 
of GL, 336 
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of Isom(E), 285, 292, 306, 307 
of Kt, 335 
of K*, 20, 43, 198, 277, 279, 321, 335, 
336 
of p,,, 198, 199, 277, 300, 308, 320, 
335 
unramified outside S, 299 
Hall, M., 268 
Hasse, H., 75, 131, 132, 341 
Hasse invariant, 137, 140, 145; see also 
Ordinary; Supersingular 
Hasse—Minkowski theorem, 2 
Hasse principle, 2, 12, 234, 276, 277, 
279, 360 
Hecke L-series, 361 
Hecke operator, 347, 348, 351, 362 
Heegner, K., 340 
Heegner point, 363 
Height, 189, 190, 201, 205-220, 227— 
233, 241 
on an abelian group, 199 
absolute, 208, 215, 252 
action of Gg,x on, 213 
of an algebraic number, 211 
equals | <> root of unity, 236 
relation to size, 258 ; 
behavior under maps, 208, 215, 216, 
219, 229, 237, 239, 275 
canonical (h), 219, 227-233, 235, 262, 
363-365; see also Néron—Tate 
pairing 
computation of, 364 
difference from usual height, 229, 
239 
equals 0 <> torsion point, 229 
lower bound, 233, 239, 274 
is positive definite, 232, 262 
on an elliptic curve, 201, 215-220, 
227-233, 239, 251, 305 
finitely many points with bounded, 
200, 202, 206, 213, 216, 236 
of a formal group, 126, 128, 129, 137 
of generators for Mordell—Weil 
group, 235 
of a homomorphism of formal 
groups, 126, 128 
of integral points, 250, 261, 263, 268 
local, 228, 364-366 
logarithmic, 215, 235, 257, 269 
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Néron-Tate, see Height, canonical 
on P"(Q), 206, 207 
on projective space, 205, 207, 215, 
236 
of a rational number, 202 
relative to f (h,), 215, 220, 227-230, 
247, 250-252, 275 
relative to K (Hx), 207, 241, 243, 245, 
247, 252, 258, 259, 271 
of the roots of a polynomial, 211 
Hensel’s lemma, 2, 111, 112, 174, 297, 
299, 312, 322 
Hessian matrix, 106 
Hilbert basis theorem, 6, 165 
Hilbert class field, 167, 339, 340, 341 
Hilbert irreducibility theorem, 367 
Hilbert problem, 256 
Hilbert theorem ninety, 20, 43, 198, 277, 
279, 321, 335, 336 
Holomorphic differential, 36, 37, 39, 44, 
52, 159 
on P!, 37 
Homogeneous 
coordinates, 10, 20, 43, 61, 133, 173, 
205, 207, 213 
ideal, 10, 11, 13, 29 
polynomial, 10, 15, 16, 20, 30, 133, 
203, 204, 208, 273 
Homogeneous space, 276, 277, 279, 284, 
287-296, 297, 299, 304, 310, 319; 
see also Shafarevich—Tate group; 
Weil—Chatelet group 
associated to a quadratic extension, 
293, 301, 302 
divisor group, 295, 321 
equivalence of, 290, 291 
index, 321-322 
locally trivial, 298, 304, 311, 312, 316, 
322 
period, 321-322 
Picard group, 294, 295, 321 
summation map on, 295 
trivial, 290, 297 
is a twist, 289 
Homogenization, 13 
Homology of E (H,(E, Z)), 149, 161 
Homomorphism of formal groups, 115, 
120, 126 
Homomorphism group (Hom), 71, 81, 
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92, 107, 145; see also Endo- 
morphism ring 
degree map on, 88, 92 
rank < 4,94 
of Tate modules, 92, 94, 107, 145, 366 
is a torsion-free Z-module, 71, 93 
Homothetic lattices, 161, 163, 164, 342, 
343 
Homothety, see Scalar multiplication 
Hurwitz, A., 242, 370 
Hurwitz genus formula, 41, 42, 44, 65, 
79 
Hyperbola, 1! 
Hyperelliptic curve, 26, 44, 255, 293 
Hyperplane, 11, 12, 25, 106, 258 
Hypersurface, 20 


Ideal class group, 33, 194, 224, 235, 339, 
340 
Ideal of a variety, 6 
Identity component, 358 
Index of a homogeneous space, 321~322 
Inertia group, 178, 198, 298 
action on E[m] and T,(E), 179, 184- 
186, 187, 361 
Infinite descent, 189 
Inflation map on cohomology, 332, 335, 
337 
Inflation-restriction sequence, 197, 236, 
299, 332, 335, 337 
Inseparable 
degree, 25, 70, 76, 128 
map, 25, 137 
Integral extension of rings, 249 
Integral j-invariant, see j-invariant 
Integral points, 3, 59, 241-275 
effective bounds, 252, 261, 263, 268 
finitely many S-, 248, 249, 252, 255, 
266, 273 
on hyperelliptic curves, 255 
number of, 250, 251, 272 
in Z, 3, 59, 260, 261, 266, 268, 272, 
273, 275 
Invariant differential, 48, 52, 65, 79-84, 
85, 113, 149, 172 
of a formal group, 119-121 
Invariant of a quaternion algebra, 102 
Inverse limit, 333 
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Isogenous elliptic curves, 70, 145, 168, 
185, 363 
have same coductor, 361 
have same bad primes, 185, 299 
finitely many over K, 264, 265 
Isogeny, 70-79, 81, 84, 92, 276; see also 
Dual isogeny; Homomorphism 
group 
associated moduli problem, 352-354 
defined over K, 71, 94, 264, 265, 296, 
298 
of degree two, 74, 301, 302, 310, 311 
Frobenius, see Frobenius (endo)- 
morphism 
given by an analytic map, 159-161, 
162 
is a homomorphism, 75, 161 
inseparable degree, 128 
kernel of, 76, 107, 265, 296, 301, 302, 
311, 319, 320, 352 
separable, 76, 78, 85 
theorem, 94 
Weil pairing on kernel, 107, 319 
Isomorphism, 17, 19 
complex analytic, 105, 150, 158, 161, 
162 
of curves, 25, 264, 284, 300 
defined over K, 17 
of formal groups, 116, 122 
Isomorphism group (Isom), 107, 284— 
286, 292, 306, 307; see also 
Automorphism group 
may be non-abelian, 285 
of an elliptic curve, 306, 307 


j-invariant, 48-52, 54, 137, 140, 143, 

168, 183, 233, 239, 308, 324, 325. 
327, 339, 349, 359, 366 

of a curve of genus one, 108, 109 

of a CM elliptic curve, 188, 339, 341, 
342 

integral, 181, 186, 188, 233, 251, 328, 
339 

integral = potential good reduction, 
181, 328 

j= O0andj = 1728, 54, 103, 104, 144, 
145, 167, 308, 309, 323, 325, 329, 
341 
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of a lattice, 167, 339, 342, 343 
as a modular function, 343, 345, 349, 
356 
non-integral, 356, 357 
transcendental, 137, 145 
Jacobi, C. G. J., 345 
Jacobian variety, 294, 367 
Jordan normal form, 136 


K-rational points, 5, 6, 10, 11, 20 
Kani, E., 370 
Katz, N., 177 
Kenku, M., 265 
Kodaira, K., 183, 358 
Kodaira symbol, 359 
Kronecker’s theorem, 236 
Kronecker—Weber theorem, 338 
Krull’s Hauptidealsatz, 20 
Krull’s theorem, 119 
Kummer pairing, 191, 196, 197, 277, 
279 

kernel of, 191, 277 

via cohomology, 196-199 
Kummer sequence 

for E, 197, 278, 287 

for K*, 198, 278 
Kummer theory, 194, 196 


L£(D), ¢(D), see Divisor, associated 
vector space 
¢-adic cohomology, 134 
¢-adic representation, 91, 187 
image of, 95, 366 
is irreducible, 273 
¢-adic Tate module, see Tate module 
¢-adic Weil pairing, see Weil pairing, 
¢-adic 
L-series, 234, 240, 338, 360-363; see also 
Birch and Swinnerton-Dyer 
conjecture 
Lang, S., 177, 233-235, 250, 254, 268, 
371 
Lang—Trotter conjecture, 144 
Laska, M., 227 
Lattice, 105, 149, 150, 153, 159, 160, 
162, 163, 165, 166, 168, 231, 262, 
265, 274, 342, 349 
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discriminant, 158, 167, 342, 343, 345 
homothetic, 161, 163, 164, 342, 343 
of an ideal, 339 
j-invariant, 167, 339, 342 
in R &) E(K), 231, 232 
rectangular, 167 
Laurent series, 110, 113, 157 
Lefschetz principle, 164, 165 
Legendre normal form, 53-55, 108, 
141, 143, 167, 168, 182, 183, 
327 
Legendre relation, 166 
Legendre symbol, 317 
Lehmer, D. H., 144 
Lemniscate, 169 
Lie group, 158, 161, 162 
Limit formula, 363 
Lind, C.-E., 304, 316 
Line, 1, 11, 14, 19, 27, 55, 67, 114, 174 
at infinity, 46, 49 
Line integral, 146, 147; see also Elliptic 
integral 
Linear change of variable, 1, 49, 53, 61, 
64, 106, 172, 173, 224, 324 
Linear equivalence, 32, 38, 65 
Linear forms 
in elliptic logarithms, 262-263, 269 
in logarithms, 245, 248, 252, 257, 259, 
260 
in p-adic logarithms, 261 
Linear fractional transformation, 343 
Liouville, J., 242, 244 
Liouville’s theorem, 151, 272 
Local class field theory, 188 
Local degree at v (n,), 206, 241, 258 
Local height function, see Height 
function 
Local ring at P, 9, 15, 21 
isa DVR, 21, 42 
Locally trivial homogeneous space, 298, 
304, 311, 312, 316, 322; see also 
Shafarevich—Tate group 
Logarithm 
elliptic, 262—263 
of a formal group, 121-123 
linear form, see Linear forms in 
logarithms 
p-adic, 257, 261 
Lutz, E., 221 
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Mahler, K., 244 
Manin, Ju., 223, 355 
Map, see also Isogeny; Morphism; 
Rational Map 
analytic, 159, 161 
between curves, 23-30, 41, 43 
between varieties, 15—18 
constant, 25 
continuous, 187, 334 
defined over K, 15 
degree, 25, 42, 76, 246 
of degree one, 25, 53, 64, 105, 290 
finite, 25, 75 
inseparable, 25, 70 
multiplication, see Multiplication-by- 
m map 
ramification index, 28, 41, 76, 246 
separable, 25, 34, 35, 41, 43, 70, 76, 
78, 83 
translation, 68, 75, 76, 80 
unramified, 28, 76, 79, 107, 251, 252 
Masser, D., 263 
Mass formula, 145 
Maximal abelian extension, 188, 236 
everywhere unramified, 167, 339, 340, 
341 
of Q@ (Q%), 338, 341 
of a quadratic imaginary field, 341, 342 
unramified outside S, 194, 196 
Maximal real subfield, 354 
Maximal unramified extension of a local 
field (K""), 178, 185 
Mazur, B., 223, 265, 355 
Mean value theorem, 243, 260 
Measure, 231, 272 
Mellin transform, 361, 362 
Mestre, J.-F., 234 
Minimal field of definition, 10, 191, 213 
Minimal discriminant, see Discriminant 
Minimal polynomial, 243 
Minimal scheme, 358 
Minimal Weierstrass equation, see 
Weierstrass equation 
Minkowski, H., 196, 231, 232 
Mx, see Absolute values 
Modular curve, 223, 338, 351-355 
affine, 354 
cusps, 354 
genus, 351, 355 
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Modular form, 344, 345 
algebra of, 347, 348 
associated L-series, 360-362 
for a congruence subgroup, 350, 351 
Fourier series, 344, 345, 348 
product expansion for A, 345 
Modular function, 3, 147, 161, 338, 339, 
342-351, 355 
for a congruence subgroup, 350 
field of, 347, 348 
Fourier coefficients, 345 
Fourier series, 344, 345, 355 
weight of, 344 
Modular group (SL,(Z)), 343, 344, 346, 
349-354, 362 
Moduli space, 352, 353 
Modulus of an elliptic integral, 168 
Mordell, L.J., 266, 316, 348 
Mordell conjecture, 94, 266 
Mordell—Weil group, 189, 233, 267 
computation of, 276-323 
via [m]-descent, 305 
via [2]-descent, 281 
via two-isogeny, 302 
examples, 275, 282, 303, 311, 314, 315 
height of generators, 235, 263, 269, 305 
over an infinite extension, 236 
rank of, see Rank of an elliptic curve 
torsion subgroup, see Torsion 
subgroup 
Mordell-Weil theorem, 60, 189, 197, 
199, 205, 215, 220, 231, 233, 241, 
367; see also Weak Mordell—Weil 
theorem 
lack of effectivity, 196, 201, 263, 269, 
276, 279, 304 
over Q, 201-205 
Morphism, 16, 19, 68, 288; see also 
Isogeny; Map 
between curves, 23, 24, 26 
between projective spaces, 17, 208, 
217 
defined by a rational function, 24, 33, 
215, 286 
m-torsion subgroup (E[m]), 73, 86, 89, 
95, 137, 163, 165, 191, 197, 277, 
278, 320; see also Torsion 
subgroup; Torsion point 
action of Gg), 90, 178, 179, 187, 265 
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associated moduli problem, 352-355 
reduction map injects, 176, 179, 193, 
196, 222, 282, 298, 310 
is unramified, 179, 184 
M,, 94, 102, 108 
Multiplication-by-m map ([m]), 45, 57, 
71, 73, 91, 197, 254, 301, 304 
in characteristic p, 137 
degree of, 86, 89, 105, 106, 107, 163 
dual of, 86 
effect on height, 219, 229, 239 
is finite, 71, 83 
on a formal group, 116 
kernel of, see m-torsion subgroup 
is separable, 83 
is unramified, 251, 252 
Multiplicative reduction, see Reduction 
of an elliptic curve 


Nagell, T., 221 
Negation formula, 58 
Néron, A., 183, 184, 227, 229, 234, 358, 
364, 367 
Néron model, 184, 357-359, 361 
Néron—Ogg-Shafarevich criterion, 179, 
184, 322, 340 
Néron-Tate height, see Height, 
canonical 
Néron-Tate pairing (< , >), 229, 232; 
see also Elliptic regulator 
Nevanlinna theory, 268 
Newton iteration, 112 
Node, 48, 50, 60, 61, 104, 180, 240, 357 
Noether, 321 
Noetherian, 42 
Non-abelian cohomology, 335-336 
Non-commutative formal group, 129 
Non-singular 
curve, 21, 25, 26 
hypersurface, 20 
part of E (E,,), 60-63, 104, 173, 174, 
176, 180, 183 
point, 8, 9, 14, 20 
reduction, see Reduction of an 
elliptic curve, good 
variety, 8, 133 
Weierstrass equation, 50, 63, 64 
Non-split reduction, see Reduction of 
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an elliptic curve 

Non-vanishing differential, 36, 52, 159 
Norm, 101, 257, 258, 274 
Nullstellensatz, 209, 211, 239 
Number of points 

of bounded height, 205, 214, 236 

integral points, 250, 251, 272 

over finite fields, 130—132, 360 


Odd function, 155, 219; see also Even 
function 
Ogg, A., 184, 361 
Ogg’s formula, 361 
One- 
coboundary, 331 
cochain, 331 
cocycle, 20, 190, 197, 236, 258, 331 
continuous, 334 
unit, 118 
Order 
associated to a valuation (ord,), 189, 
195, 255, 280, 361 
of a differential, 36 
of an elliptic function, 151, 152 
of a function (ordp), 22, 32, 249 
of a meromorphic function at a point 
(ord,,), 151 
Order in a field or algebra, 100, 102, 
108, 137, 145, 164, 165 
Ordinary, 137, 144; see also Super- 
singular 
Orthogonal basis, 274 


Parabola, 1 
Parallelogram law, 229 
=> quadratic, 230 
Parametrized by modular functions, see 
Weil curve 
Parshin, A. N., 266 
Perfect field, 5 
Period of a homogeneous space, 321— 
322, 362 
Periods of an elliptic curve, 149, 162, 
168 
are independent, 149, 161 
g-function, see Weierstrass g-function 
@-approximable, 272 
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g-Selmer group, see Selmer group 
Picard—Fuchs differential operator, 143 
Picard group (Pic), 32, 33, 34, 42, 66, 75, 
84 
of a homogeneous space, 295, 321 
K-rational subgroup (Picx), 32, 33, 44 
Pigeon-hole principle, 242, 270 
Pointed set, 285, 336 
Point(s) at infinity, 14, 22, 26, 33, 46, 
50, 55, 62, 132, 293, 349 
Point of finite order, see Torsion point 
Pole, 22, 24, 38, 64, 151, 152, 154, 155, 
157, 246, 249 
Positive definite quadratic form, 88, 
131, 231, 232, 274 
Positive divisor, see Divisor 
Potential good reduction, see Reduction 
of an elliptic curve 
Principal divisor, 32, 67 
has degree zero, 32 
Principal homogeneous space, see 
Homogeneous space 
Principal ideal domain, 194, 205, 206, 
227, 255, 267, 275 
Product formula, 207, 271 
Profinite group, 333 
Profinite topology, 333, 334, 336 
Projective 
algebraic set, 11 
closure, 13, 26, 293 
space, 10, 20 
variety, 12, 13, 132-134 
P!, 32, 37, 39, 42, 53, 65, 358 
p-torsion in characteristic p, 64, 137 
Purely inseparable map, 25, 30, 70, 137; 
see also Frobenius (endo)- 
morphism 


q-expansion, see Fourier series 
Quadratic character, 132, 141, 287 
Quadratic form, 88, 131, 219, 227, 231, 
232, 233, 239, 274 
Quadratic imaginary field, 100, 102, 
145, 164, 167, 339-342 
abelian extension, 339-342 
class field theory, 339-342 
class number one, 340 
order in, 108, 137, 164, 165 
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Quadratic real field, 235 
Quadratic reciprocity, 2, 317 
Quadric surface, 106 
Quantitative estimate, 235, 250, 254 
Quartic residue, 316, 318 
Quasi-minimal Weierstrass equation, 
238, 251 
Quasi-parallelogram law, 365 
Quasi-period, 166, 346, 365 
Quaternion algebra, 100, 102, 108, 137 
maximal order, 108 
ramified, 102 
split, 102, 108 
Quaternion group, 329 
Quotient of a curve by a finite group, 
78, 107, 341 


Ramanujan, S., 345 
Ramanujan t-function, 345, 348 
Ramification index, 28, 41, 76, 246 
Ramified quaternion algebra, 102 
Rank of an elliptic curve, 189, 233-235, 
255, 362, 363 
can be arbitrarily large?, 234 
examples with large rank, 234, 367 
one, 275, 314, 363 
over an infinite extension, 236 
relation with integral points, 251 
of a twist, 323 
upper bound for, 235, 277, 311, 323 
zero, 314, 316 
Rational map, 15, 16, 19; see also Map; 
Morphism 
defined at a point, 16 
defined by a function, 24, 33, 215 
defined over K, 15, 20 
need not be a morphism, 17, 237 
regular, 16, 23 
of smooth curves is a morphism, 23, 
26, 64, 68 
value at a point, 16 
Rational point group, 305 
Reduction map, 173, 176, 194, 358 
is injective on torsion, 176, 179, 193, 
194, 298 
kernel of, 174, 194, 357, 358 
Reduction modulo z, 171, 173, 174 
Reduction of an elliptic curve (£), 60, 
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173, 179-183, 193, 240, 357 
additive (unstable), 180, 181, 186, 
359-361 
bad, 179-181, 192, 193, 198, 240, 278, 
281, 299, 357, 360 
change under field extension, 181 
everywhere good, 238 
none over Q, 239, 264 
good (stable), 179-181, 184-188, 192, 
238, 263, 266, 273, 322, 328, 341 
for all but finitely many v, 193 
finitely many with, outside S, 263 
=> injective on torsion, 176, 179, 
193, 196, 222, 282, 298, 310 
isogenous curves, 185 
multiplicative (semi-stable), 180, 181, 
186, 328, 357, 359-361 
non-singular part (£,,), 173, 174, 176, 
180, 183, 358, 360 
non-split, 180 
potential good, 181, 186, 187 
split multiplicative, 180, 183, 328, 357, 
359, 360, 366 
at-v (E,), 193, 360 
Regular 
differential, see Holomorphic 
differential 
function, 9, 15, 22, 35 
rational map, 23 
scheme, 357, 358 
Regulator 
elliptic, 233, 234, 362 
homomorphism, 258 
of a number field, 232, 269 
Reichardt, H., 304 
Relative Selmer group, 305 
Representation, 90, 92, 134; see also 
Gx)x acting on... ; ¢-adic 
representation 
Residue 
of a differential, 137 
of a function, 151, 152, 154 
Residue theorem, 151 
Restriction map on cohomology, 297, 
320, 332, 334, 337 
image of, 337 
kernel of, 337 
Resultant, 204 
Riemann hypothesis, 134, 136, 137 
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Riemann-Roch theorem, 37, 39, 40, 42, 

45, 57, 63-66 
effective version, 261 

Riemann surface, 146, 148, 149, 158 

Riemann zeta function, 166, 236, 338 

Rohrlich, D., 371 

Roots of unity, 91, 95, 98, 194, 258, 277, 
338 

Roth, K. F., 244 

Roth’s lemma, 270 

Roth’s theorem, 3, 244, 254, 269-272 


S-integers, 194, 227, 241, 248, 251 
S-integral points, see Integral points 
S-minimal Weierstrass equation, 227 
S-regulator homomorphism, 258 
S-unit equation, 241, 252-256, 257, 262, 
269 
effective bound, 259 
number of solutions, 254 
S-unit group, 194, 241, 249, 261 
S-unit theorem, 195, 253, 255, 258 
Scalar multiplication, 159, 160, 163 
Schanuel, S., 214 
Scheme, 357~360 
Schmidt, F. K., 370 
Schmidt, W., 244, 268 
Schneider, T., 256, 257 
Schur’s lemma, 341 
Secant line, 14 
Segre embedding, 236 
Selmer, E., 12, 304 
Selmer conjecture, 315 
Selmer group, 296-306, 311, 316; see 
also Shafarevich—Tate group; 
Weil—Chatelet group 
is effectively computable, 299 
examples, 300, 303, 311, 323 
is finite, 298 
relative, 305 
Semi-stable reduction theorem, 181, 328 
Separable 
degree, 25, 42, 70, 76 
extension, 22, 35, 44, 329 
map, 25, 34, 35, 41, 43, 70, 76, 78, 85 
Serre, J.-P., 144, 184, 265, 366, 370, 371 
Shafarevich, I. R., 184, 234, 263, 266, 
371 
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Shafarevich’s theorem, 263—266 
Shafarevich—Tate group, 276, 296-306, 
311, 315, 316, 322, 362, 363; see 
also Selmer group; Weil—Chatelet 
group 
Cassels pairing, 306, 315, 364 
examples, 300, 303, 311, 314 
is finite?, 277, 305 
non-trivial elements, 316 
Sheaf cohomology, 137 
Shimura, G., 361, 362 
Siegel, C. L., 244, 255, 266, 269, 270 
Siegel’s identity, 256 
Siegel’s theorem, 60, 241, 247, 252, 254, 
264, 265, 266, 273 
is not effective, 250 
Sigma function, see Weierstrass 
o-function 
Sign of the functional equation, 362 
Simply transitive group action, 287 
Singular point, 18, 20, 48, 61 
of a scheme, 357, 358 
Silverman, J. H., 368 
Size, 258 
SL,(Z), 343, 344, 346, 349-354, 362 
Smooth, see Non-singular 
Spec(R), 184, 357-359 
Special fiber, 184, 357-360, 361 
Specialization homomorphism, 367—368 
Special value, 362 
Split multiplicative reduction, see 
Reduction of an elliptic curve 
Split quaternion algebra, 102, 108 
Standard absolute values, 190, 206 
Stark, H., 268, 340 
Stokes’ theorem, 150 
Subtraction map, 288, 289 
Summation map, 68, 84, 153, 295 
Sup norm, 257, 258 
Supersingular, 137, 140, 144, 145, 309; 
see also Ordinary 
Support of a divisor, 43, 108 


Tamely ramified, 188 
Tangent 
line, 14 19, 43, 49, 55, 58, 61, 62, 104, 
106, 240, 357 
plane, 18 
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Taniyama—Weil conjecture, 355, 362 
Tate curve, 338, 355-357 
Tate, J., 172, 184, 228, 229, 234, 357, 
363, 364, 371 
Tate module (7,(E)), 90-95, 134, 145 
action of Ggx, 91, 94, 95, 109, 178, 
179, 188, 273, 366 
action of inertia, 184, 186, 187, 361 
as a homology group, 94 
of K (T,(p)), 91, 135 
T,(E) in characteristic p, 91, 139, 145 
Weil pairing on, 99, 135 
as a Z,-module, 91 
Tate’s algorithm, 181, 227, 338, 357, 360 
Tate—Shafarevich group, see 
Shafarevich—Tate group 
t-function of Ramanujan, 345, 348 
Taylor series, 48, 234, 270 
Theorem 90, see Hilbert theorem 90 
Theta function, see Weierstrass 
o-function 
Thue, A., 244, 270, 273, 371 
Thue equation, 273 
Torsion conjecture, 223 
Torsion point, 95; see also m-torsion 
subgroup 
associated moduli problem, 352—355 
generates abelian extensions, 341, 342 
<> h = 0, 229 
integrality conditions, 177, 220-221, 
237 
one-parameter family, 223, 238; see 
also Modular curve 
over global fields, 176, 178, 187, 220- 
223 
over local fields, 175—178 
Torsion subgroup (£,,,,), 73, 189, 220, 
233, 277, 362; see also m-torsion 
subgroup 
of a CM curve, 341, 342 | 
computation of, 176, 222, 275, 282, 
311 
over Q, 223, 238, 239, 262, 323 
p-primary part, 223 
Torus, 148, 149, 159, 160, 342, 346 
Trace, 41, 101, 134 
of Frobenius, 135 
Transcendence degree, 8, 26, 79, 165, 
286 
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Transcendence theory, 241, 274 
Transcendental number, 243, 256, 257, 
272 
Translation map, 68, 75, 76, 80, 97, 109, 
284, 287, 292, 293, 300, 306 
Triangle inequality, 209, 211, 271 
Triplication formula, 72, 104 
Trivial homogeneous space, 290, 297 
Twist 
of a curve, 284—287 
of an elliptic curve, 239, 284, 287, 
293, 306-309, 319, 322, 323, 329, 
357 
of a function field by a cocycle, 286, 
287, 293 
of an L-series, 362 
by a quadratic character, 287 
Twisted product of groups, 306, 329, 
337 
Two-descent, 281 
Two-isogeny, see Isogeny of degree two 
Two-sphere, 148 


Uniformization theorem, 150, 161-164, 
349, 355, 356 
non-archimedean, 356, 357 
Uniformizer, 22, 23, 28, 30, 35-37, 44, 
53, 110, 171, 246 
Unique factorization domain (UFD), 16 
Unit equation, see S-unit equation 
Unit group, 33, 171, 190, 232, 234, 235, 
263, 269; see also S-unit group 
Unramified 
extension of fields, 124, 178, 181, 185, 
188, 193, 280 
map, 28, 76, 79, 107, 251, 252 
at P, 28 
outside S, 194, 196, 280, 299 
at v, 178, 179, 184, 198, 236, 280, 298, 
322 
Upper half-plane (H), 343-345, 349 
extended (H*), 349, 350, 351, 353, 
354 


v-adic analytic map, 356 
v-adic distance function, see Distance 
function 
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v-adic topology, 187, 245, 247, 252, 356, 
364, 365 
Valuation 
associated to an absolute value, 189, 
280 
of a local coordinate ring, 22, 32; see 
also Order of a function 
of the minimal discriminant, 172, 183 
Variety, 1, 5-20, 367 
over a finite field, 132-134 
Vojta, P., 268 


Weak Mordell—Weil theorem, 116, 175, 
189, 190-196, 220, 235, 251, 276, 
278, 287, 298; see also Mordell— 
Weil theorem 
Weber function, 341, 342 
Weber, H., 339 
Weierstrass, K. T. W., 153 
Weierstrass class of an elliptic curve 
(Qg/x), 224, 225, 238 
Weierstrass coordinate functions, 63, 64, 
65, 69, 81, 82, 87, 106, 110, 161, 
218, 220, 248, 249, 256, 279, 329, 
341, 365 
Weierstrass equation, 45, 46—55, 57, 58, 
74, 103, 106, 111, 121, 131, 140, 
144, 145, 160, 177, 183, 184, 187, 
202, 216, 262, 263, 268, 275, 280 
affine, 46, 241 
composition law on, 55 
Deuring form, 109, 327 
discriminant, 48, 50, 60, 61, 72, 104, 
180, 183, 223, 227, 239, 263, 294, 
324, 325, 327, 365 
is an elliptic curve, 64 
formal solution, 114 
global minimal, 224—227, 238, 240, 
362 
calculation of, 227 
may not exist, 226, 238 
group law, 55-63, 65, 66 
invariant differential, 48, 52, 65, 79— 
84, 85, 113, 149, 172, 329 
j-invariant, see j-invariant 
Legendre form, 53-55, 108, 141, 143, 
147, 167, 168, 182, 183, 327 
linear change of variables, 49, 53, 61, 
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64, 172, 173, 224, 225, 324, 364 
minimal, 171-174, 179, 180, 186, 187, 
193, 224, 357, 359, 365 
non-singular, 50, 63, 64, 250, 325 
non-singular part (E,,), 60-63, 104, 
173 
normal forms, 46, 48, 324 
point at infinity, 46, 50, 55, 132 
quasi-minimal, 238, 251 
real locus, 48, 167 
reduction modulo z, 171, 173; see also 
Reduction of an elliptic curve 
singular, 48, 53, 60-63, 104 
S-minimal, 227, 264 
of a twist, 287, 308 
Weierstrass g-function, 153-162, 262 
algebraic relation, 157, 158 
Fourier series, 346 
generates elliptic function field, 154 
Laurent series, 157 
as a modular function, 346 
relation with a, 156, 166 
Weierstrass preparation theorem, 129 
Weierstrass o-function, 156, 166, 346, 
365 
Weierstrass ¢-function, 166 
Weight of a modular function or form, 
153, 344, 345, 347, 348 
Weil, A., 81, 132, 134, 361, 362 
Weil—Chatelet group, 290, 291, 294, 
296, 297, 300, 302, 307, 320; see 
also H’ of E; Selmer group; 
Shafarevich—Tate group 
group law, 291, 319 
over a finite field, 320 
over R, 320 
Tate pairing, 364 
Weil conjectures, 132-134, 348 
for elliptic curves, 134-136 
for P", 144 
Weil curve, 355, 361, 362, 363 
Weil pairing, 95-100, 107, 108, 277, 
278, 279, 320, 353 
alternative definition, 107, 319 
dual isogeny is adjoint, 98 
image of, 97 
f-adic, 99, 135 
relative to an isogeny, 107, 319 
Weil reciprocity law, 43, 108, 370 
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Weil—Taniyama conjecture, see 
Taniyama—Weil conjecture 

Wild ramification, 361 

Wiles, A., 363 

Winding number, 152 

Wronskian determinant, 270 

Wiistholz, G., 263 


Zagier, D., 363 
Zero isogeny, 57, 70, 71 
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Zero of a function, 22, 38, 151, 152, 155, 
157, 245 
0 cohomology group, see H° 
Zeta function 
of an elliptic curve, 136, 360 
of P", 133 
of Riemann, 166, 236, 345 
of a variety, 133-134 
of Weierstrass, 166 
Zimmer, H., 371 
Zorn’s lemma, 165 
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